Is there a way to determine days between with the search below?
convert ctime(LastScanDate)|eval tnow = now() | convert ctime(tnow)|eval NoOfDays=(now()-Install)/(3600*24)
If your Install
value is in epoch already, this will give you number of day between today and date represented by install.
.....| eval NoOfDays=(relative_time(now(),"@d")-relative_time(Install,"@d"))/86400
If it's not epoch already, convert it to epoch
.....| eval NoOfDays=(relative_time(now(),"@d")-relative_time(strptime(Install,"<<TIMEFORMATHERE>>"),"@d"))/86400
Where, TIMEFORMATHERE is the exact time format of the date in the field Install. See this for more details on the format https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Commontimeformatvariables
@jhayIV - Did the answer provided by somesoni2 help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
If your Install
value is in epoch already, this will give you number of day between today and date represented by install.
.....| eval NoOfDays=(relative_time(now(),"@d")-relative_time(Install,"@d"))/86400
If it's not epoch already, convert it to epoch
.....| eval NoOfDays=(relative_time(now(),"@d")-relative_time(strptime(Install,"<<TIMEFORMATHERE>>"),"@d"))/86400
Where, TIMEFORMATHERE is the exact time format of the date in the field Install. See this for more details on the format https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Commontimeformatvariables