Splunk Search

Date comparison with if statements

mcamilleri
Path Finder

I need to use an if statement to set the dates in startDateFrom and startDateTo if not specified in the selectedStartDateFrom and selectedStartDateTo variables.

I then want to use startDateFrom and startDateTo to filter for entries with Experiment_Instance_Start_Date between startDateFrom and startDateTo.

The date comparison works fine, it's only when I add the if statements that it stops working. Any ideas what I'm doing wrong here?

| eval compare=strptime(Experiment_Instance_Start_Date,"%m/%d/%Y") 
| where compare>=strptime(startDateFrom,"%m/%d/%Y")
| eval compare=strptime(startDateTo,"%m/%d/%Y")
| where compare>=strptime(Experiment_Instance_Start_Date,"%m/%d/%Y")
| eval startDateFrom=if("$selectedStartDateFrom$"="", "01/01/1970", "$selectedStartDateFrom$")
| eval startDateTo=if("$selectedStartDateTo$"="", "01/01/2100", "$selectedStartDateTo$")
Tags (4)
0 Karma
1 Solution

mcamilleri
Path Finder

As aholzer said in the comments above, "$selectedStartDateFrom$"="" is wrong, so I changed that to len("$selectedStartDateFrom$")>0. I also needed to move the if statements to before the date comparison for the startDateFrom and startDateTo to be available. Also start date of 01/01/1970 returns no results, so I changed it to a later date.

| eval startDateFrom=if(len("$selectedStartDateFrom$")>0, "$selectedStartDateFrom$", "01/01/2000")
| eval startDateTo=if(len("$selectedStartDateTo$")>0, "$selectedStartDateTo$", "01/01/2099")
| eval compare=strptime(Experiment_Instance_Start_Date,"%m/%d/%Y") 
| where compare>=strptime(startDateFrom,"%m/%d/%Y")
| eval compare=strptime(startDateTo,"%m/%d/%Y")
| where compare>=strptime(Experiment_Instance_Start_Date,"%m/%d/%Y")

View solution in original post

0 Karma

mcamilleri
Path Finder

As aholzer said in the comments above, "$selectedStartDateFrom$"="" is wrong, so I changed that to len("$selectedStartDateFrom$")>0. I also needed to move the if statements to before the date comparison for the startDateFrom and startDateTo to be available. Also start date of 01/01/1970 returns no results, so I changed it to a later date.

| eval startDateFrom=if(len("$selectedStartDateFrom$")>0, "$selectedStartDateFrom$", "01/01/2000")
| eval startDateTo=if(len("$selectedStartDateTo$")>0, "$selectedStartDateTo$", "01/01/2099")
| eval compare=strptime(Experiment_Instance_Start_Date,"%m/%d/%Y") 
| where compare>=strptime(startDateFrom,"%m/%d/%Y")
| eval compare=strptime(startDateTo,"%m/%d/%Y")
| where compare>=strptime(Experiment_Instance_Start_Date,"%m/%d/%Y")
0 Karma

mcamilleri
Path Finder

great, that helped a lot. I'm using len now and I also had to move the if statements before the date comparison for the startDateFrom and startDateTo to be available

0 Karma

aholzer
Motivator

Looks like you are doing a string comparison rather than a date comparison. The double quotes around your $selectedStartDateFrom$ convert it to a string.

In string comparisons you need a == comparison rather than an = comparison: "$selectedStartDateFrom$"==""

If this doesn't work, you could also do something like: len("$selectedStartDateFrom$")>0

hope this helps

mcamilleri
Path Finder

They're tokens provided from a form

0 Karma

sowings
Splunk Employee
Splunk Employee

Are selectedStartDateFrom and selectedStartDateTo fields from your data, or tokens, as provided from a form? The syntax of your if will vary depending upon the answer.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...