Splunk Search

Subtraction of X days from a date

klaudiac
Path Finder

Hi guys, 

 

Probably very simple question but I just tangled myself in the logic. 

I want to create 2 fields, one with today's date so I have that one
| eval today_date=strftime(now(),"%B %d, %Y")

and the second one where I want to subtract 30days from that date.

How do I get about it?

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @klaudiac,

to work ondates, you have to work using epochtime.

In other words you have to subtract from now() the seconds of 30 days (3600*24*30):

| eval today_date=strftime(now(),"%B %d, %Y"), 30_days_past_date=strftime(now()-2592000,"%B %d, %Y")

Ciao.

Giuseppe

View solution in original post

klaudiac
Path Finder

That makes sense. I was trying to do | eval 30days_date=strftime((now(),"-30d@d")) and was wondering why it isn't working.

Thanks very much 🙂 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @klaudiac,

you can do also in another way:

| eval 30_days_past_date=relative_time(now(),"-30d@d")

Ciao.

Giuseppe

P.S.: if this answer solves your need, please accept it for the other people of Community and Karma Points are appreciated;-)

klaudiac
Path Finder

Cool, thanks very much for that. 

And one more question @gcusello before I let you go 🙂 

If I want to have a fixed date, e.g. have 1st of September as a constant date, and then do a difference between today and that 1st of Sept, how should I formulate the eval command? 

Because my | eval today_date=strftime(now(),"%B %d, %Y") will be dynamic so that's fine, but how do i calculate the difference between that fixed date and my dynamic today_date?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @klaudiac,

you can define a fixed date using eval, but remember that to manipulate dates, you have always to work using epochtime, so try something like this:

| eval fixed_date="01/09/2021"
| eval epoch_fixed_date=strptime(fixed_date,"%d/%m/%Y")
| eval diff=epoch_fixed_date-now()

then if you want to display this difference in a different format than seconds, you can add:

| eval difference=tostring(diff,"duration")

Ciao and happy splunking.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @klaudiac,

to work ondates, you have to work using epochtime.

In other words you have to subtract from now() the seconds of 30 days (3600*24*30):

| eval today_date=strftime(now(),"%B %d, %Y"), 30_days_past_date=strftime(now()-2592000,"%B %d, %Y")

Ciao.

Giuseppe

PickleRick
SplunkTrust
SplunkTrust

Well, yes, and no 🙂

I'd advise against formating time to text whenever possible. If possible - keep the time as unix timestamp, only format it on output with | fieldformat. That way any time manipulation is much easier (you just add/substract appropriate number of seconds) without the need of recalculating the date to/from the string representation.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...