Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk compare date strings by queries

h52huang
Path Finder
‎06-04-2018 06:29 PM

I want to compare date strings by splunk queries please. I have 2 dropdown inputs. StartDate and EndDate

I have below result set populated from a dropdown as 'StartDate'. If the user selects 2018-05-03, then my EndDate should only have 2018-05-07 and 2018-05-16 available for users to pick.
Date
2018-05-01
2018-05-03
2018-05-07
201805-16

How do I do the comparison logic within the same query please? Can Splunk compare dates alphabetically like Java strings ? Thank you.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎06-04-2018 06:43 PM

In this case you can do a string comparison in order to test the dates. Here is a run-anywhere search (it sets up some data in the first three lines, then the last line is the one you want to look at) that can show you this capability:

| makeresults
| eval data="date1=2018-05-03 date2=2018-05-07"
| rex field=data "date1=(?P<date1>\S+)\s+date2=(?P<date2>\S+)"
| eval less=if(date1<date2,1,0)

The dates are compared as strings. The if function will allow you to do a comparison, then if true, take the first value, if false, take the second value.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...