Splunk Search

Subtraction of X days from a date

klaudiac
Path Finder

Hi guys, 

 

Probably very simple question but I just tangled myself in the logic. 

I want to create 2 fields, one with today's date so I have that one
| eval today_date=strftime(now(),"%B %d, %Y")

and the second one where I want to subtract 30days from that date.

How do I get about it?

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @klaudiac,

to work ondates, you have to work using epochtime.

In other words you have to subtract from now() the seconds of 30 days (3600*24*30):

| eval today_date=strftime(now(),"%B %d, %Y"), 30_days_past_date=strftime(now()-2592000,"%B %d, %Y")

Ciao.

Giuseppe

View solution in original post

klaudiac
Path Finder

That makes sense. I was trying to do | eval 30days_date=strftime((now(),"-30d@d")) and was wondering why it isn't working.

Thanks very much 🙂 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @klaudiac,

you can do also in another way:

| eval 30_days_past_date=relative_time(now(),"-30d@d")

Ciao.

Giuseppe

P.S.: if this answer solves your need, please accept it for the other people of Community and Karma Points are appreciated;-)

klaudiac
Path Finder

Cool, thanks very much for that. 

And one more question @gcusello before I let you go 🙂 

If I want to have a fixed date, e.g. have 1st of September as a constant date, and then do a difference between today and that 1st of Sept, how should I formulate the eval command? 

Because my | eval today_date=strftime(now(),"%B %d, %Y") will be dynamic so that's fine, but how do i calculate the difference between that fixed date and my dynamic today_date?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @klaudiac,

you can define a fixed date using eval, but remember that to manipulate dates, you have always to work using epochtime, so try something like this:

| eval fixed_date="01/09/2021"
| eval epoch_fixed_date=strptime(fixed_date,"%d/%m/%Y")
| eval diff=epoch_fixed_date-now()

then if you want to display this difference in a different format than seconds, you can add:

| eval difference=tostring(diff,"duration")

Ciao and happy splunking.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @klaudiac,

to work ondates, you have to work using epochtime.

In other words you have to subtract from now() the seconds of 30 days (3600*24*30):

| eval today_date=strftime(now(),"%B %d, %Y"), 30_days_past_date=strftime(now()-2592000,"%B %d, %Y")

Ciao.

Giuseppe

PickleRick
SplunkTrust
SplunkTrust

Well, yes, and no 🙂

I'd advise against formating time to text whenever possible. If possible - keep the time as unix timestamp, only format it on output with | fieldformat. That way any time manipulation is much easier (you just add/substract appropriate number of seconds) without the need of recalculating the date to/from the string representation.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...