Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

STRPTIME date question - Conf19

macattck
Engager
‎10-28-2019 01:29 PM

The below SPL works. The lastLoginDate is a range of dates from 2018 through 9/30/2019. I would like to find the last 30 days or 1 month but I have to manually update the SPL with a hard date. If this was SQL, I would create the Max(lastLoginDate) minus 30 days but it's SPL. Help - thanks.

| eval lastLoginDate=strptime(lastLoginDateStr, "%m/%d/%Y")
| eval referenceDate=strptime("9/1/2019", "%m/%d/%Y")
| where lastLoginDate>=referenceDate

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

arjunpkishore5
Motivator
‎10-28-2019 05:22 PM

what you need is eventstats and relative_time

| eval lastLoginDate=strptime(lastLoginDateStr, "%m/%d/%Y")
| eval referenceDate=strptime("9/1/2019", "%m/%d/%Y")
| eventstats max(lastLoginDate) as referenceDate 
| where lastLoginDate>=relative_time(referenceDate,"-30d")

If you have a set of key fields for which you want to do this use a by field in the eventstats as below:

| eventstats max(lastLoginDate) as referenceDate by key_field1, key_field2 ... key_fieldN

Please upvote and mark as answer if this helps

View solution in original post

Reply
Solved! Jump to solution
Solution

arjunpkishore5
Motivator
‎10-28-2019 05:22 PM

what you need is eventstats and relative_time

| eval lastLoginDate=strptime(lastLoginDateStr, "%m/%d/%Y")
| eval referenceDate=strptime("9/1/2019", "%m/%d/%Y")
| eventstats max(lastLoginDate) as referenceDate 
| where lastLoginDate>=relative_time(referenceDate,"-30d")

If you have a set of key fields for which you want to do this use a by field in the eventstats as below:

| eventstats max(lastLoginDate) as referenceDate by key_field1, key_field2 ... key_fieldN

Please upvote and mark as answer if this helps

Reply
Solved! Jump to solution

macattck
Engager
‎10-28-2019 10:07 PM

thanks, your #3 and #4 step worked.

0 Karma
Reply
Solved! Jump to solution

arjunpkishore5
Motivator
‎10-29-2019 03:26 AM

Glad that I could help. 🙂 You can remove step 2. you don't need that since it gets overridden in step 3.
Could you please mark as answer if this is what you were looking for.

0 Karma
Reply
Solved! Jump to solution

macattck
Engager
‎10-28-2019 02:23 PM

Thanks for responding. I should have added that the Max Date from the file is constant since it comes from an Excel File. That's why hard coding greater than "9/01/2019" works. I need to create a reference of the Max date from the entire file and then take out 1 month. Can you help with this?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-28-2019 02:18 PM

Like this:

...| eval lastLoginDate=strptime(lastLoginDateStr, "%m/%d/%Y")

Followed by:

| where lastLoginDate >= relative_time(now(), "@m")

OR:

| where lastLoginDate >= relative_time(now(), "-30d@d")

OR just use the timepicker with:

| addinfo
| where lastLoginDate >= info_min_time AND lastLoginDate <= info_max_time
0 Karma
Reply
Solved! Jump to solution

macattck
Engager
‎10-28-2019 02:35 PM

I cannot use a relative date or dynamic date. My data is static until it's refreshed once a month. I feel I need to create a reference of MaxDate from the entire file.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-28-2019 03:39 PM

I have absolutely no idea what you mean if my answer does not make sense to you. You are going to have be FAR more descriptive about your need and post at least 2 examples of doing this on different hypothetical dates or files.

0 Karma
Reply
Solved! Jump to solution

macattck
Engager
‎10-28-2019 04:28 PM

Sorry about the way my question was phrased. It's my first post ever. Let me try to slow down and be more descriptive.

  1. The lastLoginDateStr is the data column in question
  2. My file has two years worth of data up to the last day of the month I run it for, in this case 9/30/2019. The last day of the month will always appear e.g. 10/31/2019 will show up when I run the file on 11/01/2019
  3. If I know my Max date for the entire file is 9/30/2019, I want to pull in all records from 9/01/2019 to meet my 30 day data set. This is why it's hard coded.
  4. I would like to create a Reference data field that takes the Max Date (9/30/2019) and subtract 30 days. I would then like to say WHERE lastLoginDate >= Reference Date (9/30/2019 - 30 days = 9/01/2019)

| eval lastLoginDate=strptime(lastLoginDateStr, "%m/%d/%Y")
| eval referenceDate=strptime("9/1/2019", "%m/%d/%Y")
| where lastLoginDate>=referenceDate

Thank you!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...