Re: Splunk compare date strings by queries

h52huang · ‎06-04-2018

I want to compare date strings by splunk queries please. I have 2 dropdown inputs. StartDate and EndDate

I have below result set populated from a dropdown as 'StartDate'. If the user selects 2018-05-03, then my EndDate should only have 2018-05-07 and 2018-05-16 available for users to pick.
Date 2018-05-01 2018-05-03 2018-05-07 201805-16

How do I do the comparison logic within the same query please? Can Splunk compare dates alphabetically like Java strings ? Thank you.

cpetterborg · ‎06-04-2018

In this case you can do a string comparison in order to test the dates. Here is a run-anywhere search (it sets up some data in the first three lines, then the last line is the one you want to look at) that can show you this capability:

| makeresults
| eval data="date1=2018-05-03 date2=2018-05-07"
| rex field=data "date1=(?P<date1>\S+)\s+date2=(?P<date2>\S+)"
| eval less=if(date1<date2,1,0)

The dates are compared as strings. The if function will allow you to do a comparison, then if true, take the first value, if false, take the second value.

Splunk compare date strings by queries

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation