Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to subtract one date from another date?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All!
I've found the answer. kindly see the codes below.
|convert timeformat="%m/%d/%Y" mktime(start) as starttime mktime(end) as endtime |eval result=(endtime-starttime)/86400
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Need to substract
12-Jun-2018 03:17:20 ---- 12-Jun-2018 03:17:39
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All!
I've found the answer. kindly see the codes below.
|convert timeformat="%m/%d/%Y" mktime(start) as starttime mktime(end) as endtime |eval result=(endtime-starttime)/86400
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Subtracts 1 day from the event time (_time) and puts the result into another field (time_one_day_before)
... | eval time_one_day_before=strftime(relative_time(_time, "-1d"),"%Y-%m-%d %H:%M:%S") | ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks, but this is not what exactly I mean.
ex:
Date_One=07/07/2014
Date_Two=07/05/2014
Date_One and Date_Two are the field names.
how do I subtract a days? please help! thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your date is in epoch format:
... | eval subtracted_date=your_date-86400
If your date isn't in epoch format (you're not telling us if it is), you need to convert it to epoch first using eval's strftime function.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well are you getting the "it" and "ot" fields OK?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it has no result from the field name "diff". because my formula is wrong or something missing my codes? please help. thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That looks OK, where are you getting stuck?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi, this is my formula.
| eval it = strptime(Date_One, "%m/%d/%Y")
| eval ot = strptime(Date_Two, "%m/%d/%Y")
| eval diff = (ot - it)
|table diff
ex:
Date_One=07/07/2014
Date_Two=07/05/2014
Can you help me how to subtract a day? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is super old but I ran into this today and wanted to share in case anyone else needs it again and comes across this post. The below will give you an output of the difference by # of days.
| eval it = strptime(Date_One, "%m/%d/%Y")
| eval ot = strptime(Date_Two, "%m/%d/%Y")
| eval diff = (round((ot-it)/86400,0))
| table diff
If this answer helps you an upvote is appreciated! 🙂
Happy Splunking!
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
