Splunk Search

how to convert date field to days

vikram1583
Explorer

i have a date field like this 2021-01-29 00:25:58.913024+00 i want to convert this just date as days field using now() when i run the command 

Thanks in advance 

Labels (1)
Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

@vikram1583 

If I understand your requirement correctly, you want to calculate the number of days from that date to current time.

Here's an example, which you can paste into a search window

| makeresults
| eval date="2021-01-29 00:25:58.913024+00"
| eval dz=strptime(date, "%F %H:%M:%S.%6N%:::z")
| eval days=(now()-dz)/86400

The first two lines are creating your data.

Then it parses that date/time using the strptime variables documented here

https://docs.splunk.com/Documentation/Splunk/8.1.1/SearchReference/Commontimeformatvariables

and then calculates the number of days.  I am assuming the +00 represents the time zone offset in hours.

 

 

0 Karma

vikram1583
Explorer

@bowesmana  

in my case i have a field name : First Date so in that field i have 

"2021-01-29 00:25:58.913024+00"

 so i used 

| makeresults
| eval date="First Date"
| eval dz=strptime(date, "%F %H:%M:%S.%6N%:::z")
| eval days=(now()-dz)/86400

 

 i am getting eval command the 'striptime' function is unsopperted or undifined 

0 Karma

vikram1583
Explorer

@bowesmana  sorry i am getting this error : error in eval command the arguments to the striptime function are invalid

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

The use of makeresults is done to show an example of how this works and to set up the example data and is not working with your data. In your use case, you would not use makeresults, you would use your normal search.

You would need this part, note that the First Date field name has to be wrapped in single quotes in an eval statement.

| eval dz=strptime('First Date', "%F %H:%M:%S.%6N%:::z")
| eval days=(now()-dz)/86400

Your message said "striptime" - it is strptime

0 Karma

vikram1583
Explorer

@bowesmana  worked now but i am getting results like        0.1068998 and 2.765478 like this i just want days need to remove after .

0 Karma

bowesmana
SplunkTrust
SplunkTrust
| eval field=round(field)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...