Splunk Search

Compare dates in splunk

sriva6
New Member

Hi,

I have the below query to compare the date I am extracting from logs with the current date:

(sourcetype="XYZ") OR (sourcetype="ABC") 
| rex "\|Some String\|\w+\|(?<Field1>[AEU]\d{9})\|" 
| rex "(?P<Date>\d+\/\d+\/\d+\|\d+:\d+:\d+.\d+[^\|]+)"  
| eval DatetimeEpoch=strptime(Date,"%Y/%m/%d %H:%M:%S") 
| eval epoch30minsago=relative_time(now(), "-30m@m" )  
| stats first(sourcetype) as last_sourcetype first(Date) by Field1 
| search last_sourcetype="XYZ" 
| where DatetimeEpoch>=epoch30minsago

I want to print out the values of Field1 if the field "Date" is 30 mins behind the current time.

The format of the filed "Date" is below:

2013/12/12|07:01:01.311
2013/12/12|07:20:17.464
2013/12/12|07:23:52.217
2013/12/12|07:24:52.480
2013/12/12|07:25:42.285
2013/12/12|07:25:49.494
2013/12/12|07:26:24.669

Please let me know how can I compare this with the current time/date. My query above is not working probably because the field "Date" is in string format and splunk is not able to convert it to epoch?

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Your strptime() format doesn't match the Date field. Try "%Y/%m/%d %H:%M:%S.%3Q". Also the where clause should read 'where DatetimeEpoch <= epoch30minsago' to select events at least 30 minutes behind the current time.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ChrisG
Splunk Employee
Splunk Employee

Also: have you seen the Timewrap app?

0 Karma

kristian_kolb
Ultra Champion

Look, is this "Date" field in your events the same timestamp information that Splunk uses for indexing purposes? If so, then that information is already available in the _time field, so you don't have to extract it again with rex.

Check it with;

your search for events | head 3 | table _time, Date

Do the timestamps match?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...