Hi there! I have a query which compares two dates and returns a result showing which date is furthest is the future.
Because of this, the second date field is consistently showing as higher than the first, even when it actually isn't.
Has anyone got any ideas about how I could get rid of the HH:mm:ss from the second date field? I'm assuming if I get rid of that the eval will work correctly!
Thanks in anticipation!
Andrea
Hello Andrea,
If you are directly comparing the dates it might be in string format. Best way will be to convert it to epoch time format and then make a comparison. Please try this sample search
sourcetype=x|eval Date1=strptime(field1,"%d/%m/%Y")|eval Date2=strptime(field1,"%d/%m/%Y %H:%M:%S")|eval Greater=if(Date1>Date2,"Yes","No")|table Date1,Date2,Greater
Thanks
Hooray!! One date still has hours, the other doesn't - but the result is correct, and that is what matters 🙂
Thank you so much for your help!!
Hello Andrea,
If you are directly comparing the dates it might be in string format. Best way will be to convert it to epoch time format and then make a comparison. Please try this sample search
sourcetype=x|eval Date1=strptime(field1,"%d/%m/%Y")|eval Date2=strptime(field1,"%d/%m/%Y %H:%M:%S")|eval Greater=if(Date1>Date2,"Yes","No")|table Date1,Date2,Greater
Thanks