Hi guys,
Probably very simple question but I just tangled myself in the logic.
I want to create 2 fields, one with today's date so I have that one
| eval today_date=strftime(now(),"%B %d, %Y")
and the second one where I want to subtract 30days from that date.
How do I get about it?
Hi @klaudiac,
to work ondates, you have to work using epochtime.
In other words you have to subtract from now() the seconds of 30 days (3600*24*30):
| eval today_date=strftime(now(),"%B %d, %Y"), 30_days_past_date=strftime(now()-2592000,"%B %d, %Y")
Ciao.
Giuseppe
That makes sense. I was trying to do | eval 30days_date=strftime((now(),"-30d@d")) and was wondering why it isn't working.
Thanks very much 🙂
Hi @klaudiac,
you can do also in another way:
| eval 30_days_past_date=relative_time(now(),"-30d@d")
Ciao.
Giuseppe
P.S.: if this answer solves your need, please accept it for the other people of Community and Karma Points are appreciated;-)
Cool, thanks very much for that.
And one more question @gcusello before I let you go 🙂
If I want to have a fixed date, e.g. have 1st of September as a constant date, and then do a difference between today and that 1st of Sept, how should I formulate the eval command?
Because my | eval today_date=strftime(now(),"%B %d, %Y") will be dynamic so that's fine, but how do i calculate the difference between that fixed date and my dynamic today_date?
Hi @klaudiac,
you can define a fixed date using eval, but remember that to manipulate dates, you have always to work using epochtime, so try something like this:
| eval fixed_date="01/09/2021"
| eval epoch_fixed_date=strptime(fixed_date,"%d/%m/%Y")
| eval diff=epoch_fixed_date-now()
then if you want to display this difference in a different format than seconds, you can add:
| eval difference=tostring(diff,"duration")
Ciao and happy splunking.
Giuseppe
Hi @klaudiac,
to work ondates, you have to work using epochtime.
In other words you have to subtract from now() the seconds of 30 days (3600*24*30):
| eval today_date=strftime(now(),"%B %d, %Y"), 30_days_past_date=strftime(now()-2592000,"%B %d, %Y")
Ciao.
Giuseppe
Well, yes, and no 🙂
I'd advise against formating time to text whenever possible. If possible - keep the time as unix timestamp, only format it on output with | fieldformat. That way any time manipulation is much easier (you just add/substract appropriate number of seconds) without the need of recalculating the date to/from the string representation.