Hi @klaudiac,

you can do also in another way:

| eval 30_days_past_date=relative_time(now(),"-30d@d")

Ciao.

Giuseppe

P.S.: if this answer solves your need, please accept it for the other people of Community and Karma Points are appreciated;-)

Cool, thanks very much for that. 

And one more question @gcusello before I let you go 🙂 

If I want to have a fixed date, e.g. have 1st of September as a constant date, and then do a difference between today and that 1st of Sept, how should I formulate the eval command? 

Because my | eval today_date=strftime(now(),"%B %d, %Y") will be dynamic so that's fine, but how do i calculate the difference between that fixed date and my dynamic today_date?

Hi @klaudiac,

you can define a fixed date using eval, but remember that to manipulate dates, you have always to work using epochtime, so try something like this:

| eval fixed_date="01/09/2021"
| eval epoch_fixed_date=strptime(fixed_date,"%d/%m/%Y")
| eval diff=epoch_fixed_date-now()

then if you want to display this difference in a different format than seconds, you can add:

| eval difference=tostring(diff,"duration")

Ciao and happy splunking.

Giuseppe

Well, yes, and no 🙂

I'd advise against formating time to text whenever possible. If possible - keep the time as unix timestamp, only format it on output with | fieldformat. That way any time manipulation is much easier (you just add/substract appropriate number of seconds) without the need of recalculating the date to/from the string representation.