Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subtracting time from search, from another specified time

raby1996
Path Finder
‎10-26-2015 02:55 PM

Hi all,
Currently I have the following search-

| eval nowstring=strftime(now(), "%Y-%m-%d")
| eval nowstring2=strptime(nowstring, "%Y-%m-%d")
| eval TD= (nowstring2- it3)/86400

where I'm taking the difference between the time the search runs ( nowstring and nowstring2) and the time I'm extracting from my search (TD), however instead of the nowstring I would like compare the times from different months lets say 08/01/2015 so it would be the time difference between my event and or events and 08/01/2015 , is there any way that I can do this?
Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-26-2015 03:20 PM

First for your current query, you do it like this (to compare current day with timestamp in your events

 | eval nowstring=relative_time(now(), "@d")
 | eval TD= (nowstring- it3)/86400

For comparing against a specific date, you can do like this

| eval nowstring=strptime("2015-08-01", "%Y-%m-%d")
| eval TD= (nowstring- it3)/86400

For comparing against relative month start date, do like this

| eval nowstring=relative_time(now(), "@mon-2mon")
     | eval TD= (nowstring- it3)/86400

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-26-2015 03:20 PM

First for your current query, you do it like this (to compare current day with timestamp in your events

 | eval nowstring=relative_time(now(), "@d")
 | eval TD= (nowstring- it3)/86400

For comparing against a specific date, you can do like this

| eval nowstring=strptime("2015-08-01", "%Y-%m-%d")
| eval TD= (nowstring- it3)/86400

For comparing against relative month start date, do like this

| eval nowstring=relative_time(now(), "@mon-2mon")
     | eval TD= (nowstring- it3)/86400
0 Karma
Reply
Solved! Jump to solution

raby1996
Path Finder
‎10-26-2015 03:40 PM

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...