Compare dates in splunk

sriva6 · ‎12-13-2013

Hi,

I have the below query to compare the date I am extracting from logs with the current date:

(sourcetype="XYZ") OR (sourcetype="ABC") 
| rex "\|Some String\|\w+\|(?<Field1>[AEU]\d{9})\|" 
| rex "(?P<Date>\d+\/\d+\/\d+\|\d+:\d+:\d+.\d+[^\|]+)"  
| eval DatetimeEpoch=strptime(Date,"%Y/%m/%d %H:%M:%S") 
| eval epoch30minsago=relative_time(now(), "-30m@m" )  
| stats first(sourcetype) as last_sourcetype first(Date) by Field1 
| search last_sourcetype="XYZ" 
| where DatetimeEpoch>=epoch30minsago

I want to print out the values of Field1 if the field "Date" is 30 mins behind the current time.

The format of the filed "Date" is below:

2013/12/12|07:01:01.311
2013/12/12|07:20:17.464
2013/12/12|07:23:52.217
2013/12/12|07:24:52.480
2013/12/12|07:25:42.285
2013/12/12|07:25:49.494
2013/12/12|07:26:24.669

Please let me know how can I compare this with the current time/date. My query above is not working probably because the field "Date" is in string format and splunk is not able to convert it to epoch?

richgalloway · ‎12-13-2013

Your strptime() format doesn't match the Date field. Try "%Y/%m/%d %H:%M:%S.%3Q". Also the where clause should read 'where DatetimeEpoch <= epoch30minsago' to select events at least 30 minutes behind the current time.

---
If this reply helps you, Karma would be appreciated.

ChrisG · ‎12-13-2013

Also: have you seen the Timewrap app?

kristian_kolb · ‎12-13-2013

Look, is this "Date" field in your events the same timestamp information that Splunk uses for indexing purposes? If so, then that information is already available in the _time field, so you don't have to extract it again with rex.

Check it with;

your search for events | head 3 | table _time, Date

Do the timestamps match?

Compare dates in splunk

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life