Solved: Is there a way to determine days between with this...

jhayIV · ‎02-07-2017

Is there a way to determine days between with the search below?

convert ctime(LastScanDate)|eval tnow = now() | convert ctime(tnow)|eval NoOfDays=(now()-Install)/(3600*24)

somesoni2 · ‎02-07-2017

If your Install value is in epoch already, this will give you number of day between today and date represented by install.

.....| eval NoOfDays=(relative_time(now(),"@d")-relative_time(Install,"@d"))/86400

If it's not epoch already, convert it to epoch

.....| eval NoOfDays=(relative_time(now(),"@d")-relative_time(strptime(Install,"<<TIMEFORMATHERE>>"),"@d"))/86400

Where, TIMEFORMATHERE is the exact time format of the date in the field Install. See this for more details on the format https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Commontimeformatvariables

View solution in original post

aaraneta_splunk · ‎03-11-2017

@jhayIV - Did the answer provided by somesoni2 help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

somesoni2 · ‎02-07-2017

If your Install value is in epoch already, this will give you number of day between today and date represented by install.

.....| eval NoOfDays=(relative_time(now(),"@d")-relative_time(Install,"@d"))/86400

If it's not epoch already, convert it to epoch

.....| eval NoOfDays=(relative_time(now(),"@d")-relative_time(strptime(Install,"<<TIMEFORMATHERE>>"),"@d"))/86400

Where, TIMEFORMATHERE is the exact time format of the date in the field Install. See this for more details on the format https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Commontimeformatvariables

Is there a way to determine days between with this search?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes