Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Between dates condition showing error?

Neel88
Explorer
‎02-03-2023 03:37 AM

Hello everyone,

 

I am passing the dates as token but it shows the error in both the condition.

Cond1: | where (Date>="$date_start$" AND Date<="$date_end$")

Cond2: | where (Date>="2022-06-01" AND Date<="2022-06-02")

Please help

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-03-2023 03:48 AM

Hi @Neel88,

to compare dates, you have to transform them in epochtime using the strptime function, you cannot compare dates in text format.

The only apparent exception is _time, but it's only apparence because it's already in epochtime.

something like this:

<your_search>
| eval date_start=strptime($date_start$,"%Y-%m-%d"), date_end=strptime($date_end$,"%Y-%m-%d"), Date=strptime(date,"%Y-%m-%d")
| where Date>=date_start AND Date<=date_end
| ...

Ciao.

Giuseppe

Reply

Neel88
Explorer
‎02-03-2023 04:19 AM

Hi,

Thank you for your response. 

I have tried and getting this error.

Neel88_1-1675426768151.png

 

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-03-2023 05:05 AM

Hi @Neel88,

this is a different problem:

in the simple xml dashboards you cannout use "<" or ">" but you have to use: "&lt;" and "&gt;"

Ciao.

Giuseppe

Reply

Neel88
Explorer
‎02-03-2023 06:02 AM

Thank you for your response.

 

| where (Date = "&gt;","$date_start$") AND (Date = "&lt;","$date_end$")

 

I am very new with this tool. I am not getting result.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-03-2023 06:06 AM

Hi @Neel88,

I used quotes to delimit the strings, use them without quotes:

<your_search>
| eval date_start=strptime($date_start$,"%Y-%m-%d"), date_end=strptime($date_end$,"%Y-%m-%d"), Date=strptime(date,"%Y-%m-%d")
| where Date&gt;=date_start AND Date&lt;=date_end
| ...

Ciao.

Giuseppe

Reply

Neel88
Explorer
‎02-03-2023 06:33 AM

Thank you so much!! Its working fine 🙂 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...