Splunk Search

,number of days between two dates in same event

Mike6960
Path Finder

In an event i have two dates.

G_S="2017-10-07 23:21:19.0" and A_Z="2017-10-07 00:00:00.0"

I have mutiple examples but somehow i cannot get it working. IK would like to know how to extract the number of days between these dates

,

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Here's one way.

... | eval eG_S=strptime(G_S,"%Y-%m-%d %H:%M:%S.%N"), eA_Z=strptime(A_Z, "%Y-%m-%d %H:%M:%S.%N") | eval days=(eG_S-eA_Z)/86400 | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Here's one way.

... | eval eG_S=strptime(G_S,"%Y-%m-%d %H:%M:%S.%N"), eA_Z=strptime(A_Z, "%Y-%m-%d %H:%M:%S.%N") | eval days=(eG_S-eA_Z)/86400 | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

Mike6960
Path Finder

Thanks, but I have tried something like this before. I would expect a field as output with the number of days but i does not seem to work

0 Karma

cmerriman
Super Champion

if you used this instead:

| eval days=floor((eG_S-eA_Z)/86400)

for the days you gave, it would give you 0 days, because it wasn't a full 24 hours. it'll automatically round down.

0 Karma

Mike6960
Path Finder

I don't see an putputfield with a number of days, do I have to include this in my search?

0 Karma

Mike6960
Path Finder

I just made a change and now i see fields like eG_S and eA_Z. But the contents of these are like: 1507240800.000000 .

0 Karma

cmerriman
Super Champion

right. eG_S and eA_Z are in epoch (that is what strptime does), so that they can be used in calculations for the number of days. did you add the eval for days and does it work?
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/DateandTimeFunctions#strptim...

0 Karma

Mike6960
Path Finder

I have used this whole string
| eval eG_S=strptime(G_S,"%Y-%m-%d %H:%M:%S.%N"), eA_Z=strptime(A_Z, "%Y-%m-%d %H:%M:%S.%N")
| eval days=floor((eG_S-eA_Z)/86400)
, the two fields eG_S and eA_Z are generated. But i dont see a result of number of days anywhere

0 Karma

Mike6960
Path Finder

sorry!!!, i did something wrong, i see the field 'days' now. Sorry wasting your time....
Thans a lot for the help

0 Karma

cmerriman
Super Champion

No worries, glad you figured it out!!
Please accept the answer if your problem is solved to award points and close the question 🙂

0 Karma

Mike6960
Path Finder

If I want to use the current time in Splunk, can ik then just replace G_S in NOW() ?

0 Karma

cmerriman
Super Champion

yes, that'll give you the current timestamp, and it's already in epoch, so there is no need to convert it.

0 Karma

cmerriman
Super Champion

you'll need this whole string:

| eval eG_S=strptime(G_S,"%Y-%m-%d %H:%M:%S.%N"), eA_Z=strptime(A_Z, "%Y-%m-%d %H:%M:%S.%N") | eval days=floor((eG_S-eA_Z)/86400)

days should be a field as long as G_S and A_Z are the field names in your data. otherwise, replace them with the actual field names.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...