Splunk Search

compare a time in a log file to time now

jeroenborger
Explorer

Hello splunk communitie,

i am trying to make a comparison between the time in a event named Account_Expires against the time now.
I was trying a couple of things but nothing seems to work. the code below is where i gave up and asked for your help.

the idea is that there will be a tekst filled in "uitslag" if the Account_expires date is in the past from the pressent.

(edited after a response) so to conclude i am looking for a comparison beteen two time stamps, the time stamp in the field Expiration_date and the live date and not the log created date or time. after working on it and using the given answers i came up with the code below but it is still not working. i tried to convert te Account_Expire date to a number but that also didnt work.

| dedup _time  
| eval datum =strftime(_time, "%d-%m-%Y %l:%M %p")  
| rename src_user as "veranderd door" 
| eval bewerking =if(Account_Expires = "-", Account_Expires = "<never>", if(Account_Expires = "<never>",Account_Expires,tonumber(trim(Account_Expires)))) 
| eval Real_time =strftime(now(), "%d-%m-%Y %l:%M:%S")
| eval uitslag =if(Real_time > bewerking, "Expire datum is in het verleden", if(Account_Expires = "-", "geen datum opgegeven", if(Account_Expires = "<never>", "geen datum opgegeven","Expire datum is in de toekomst"))) 
| table  user,EventCode,"veranderd door",datum, Account_Expires, uitslag, bewerking, Real_time
| sort  datum uitslag  
| fields  - EventCode

picture to clarify

With Kind regards

Tags (1)
0 Karma
1 Solution

jeroenborger
Explorer

the solution for my problem was:

| dedup _time

| eval datum =strftime(_time, "%d-%m-%Y %l:%M %p")

| rename src_user as "veranderd door"
| eval test= Account_Expires
| eval test2=strptime(test, "%d-%m-%Y %H:%M:%S" )
| eval uitslag =if(now() > test2, "Expire datum is in het verleden", if(Account_Expires = "-", "geen datum opgegeven", if(Account_Expires = "", "geen datum opgegeven","Expire datum is in de toekomst")))
| table user,EventCode,"veranderd door",datum, Account_Expires, uitslag
| sort datum uitslag

| fields - EventCode

View solution in original post

0 Karma

jeroenborger
Explorer

the solution for my problem was:

| dedup _time

| eval datum =strftime(_time, "%d-%m-%Y %l:%M %p")

| rename src_user as "veranderd door"
| eval test= Account_Expires
| eval test2=strptime(test, "%d-%m-%Y %H:%M:%S" )
| eval uitslag =if(now() > test2, "Expire datum is in het verleden", if(Account_Expires = "-", "geen datum opgegeven", if(Account_Expires = "", "geen datum opgegeven","Expire datum is in de toekomst")))
| table user,EventCode,"veranderd door",datum, Account_Expires, uitslag
| sort datum uitslag

| fields - EventCode

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Glad that you were able to find the solution. If any of the answers or comments helped you to reach at the solution, feel free to upvote (^) them. Happy splunking!

0 Karma

jeroenborger
Explorer

| dedup _time

| eval datum =strftime(_time, "%d-%m-%Y %l:%M %p")

| rename src_user as "veranderd door"
| eval test= Account_Expires
| eval test2=strptime(test, "%d-%m-%Y %H:%M:%S" )
| eval uitslag =if(now() > test2, "Expire datum is in het verleden", if(Account_Expires = "-", "geen datum opgegeven", if(Account_Expires = "", "geen datum opgegeven","Expire datum is in de toekomst")))
| table user,EventCode,"veranderd door",datum, Account_Expires, uitslag
| sort datum uitslag

| fields - EventCode

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@jeroenborger ,

strftime converts time to string and that's why your comparison doesn't yield result.

Try the epoch values directly

|eval test =if(now() < _time, "X", "Y") 
0 Karma

jeroenborger
Explorer

tried that and it is not working, i edited the post with more and new info. it was comparing string length to string length and not looking at the numbers in it.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@jeroenborger ,
In your search again , you are converting now() [ which is in epoch format) to a string. Instead of doing that , you should convert the string "Account_Expires " to epoch

So your 5 ,6 , 7 lines of search window should be

 | eval bewerking= if (Account_Expires = "-" OR Account_Expires = "<never>", strptime("2035-01-01","%Y-%m-%d"), strptime(Account_Expires,"%d-%m-%Y %H:%M:%S"))
 | eval uitslag =if(now() > bewerking, "Expire datum is in het verleden", if(Account_Expires = "-", "geen datum opgegeven", if(Account_Expires = "<never>", "geen datum opgegeven","Expire datum is in de toekomst"))) 

So if account expires is - or never, we set a future date. You may change that date (2035-01-01) any future date and converted other Account_Expires date to epoch forma using strptime.

0 Karma

thomasroulet
Path Finder

use now() instead of now

0 Karma

jeroenborger
Explorer

tried that and it is not working, i edited the post with more and new info

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!