- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to find the number or days between a fixed dat...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to find the number or days between a fixed date and Today date
Hello Experts,
Here's our requirement: We are performing an auto repair process based on the Splunk output. The goal is not to perform the automation tool twice. Here's the logic i tried...there's a field called last_communicated_time so i want to find no. of days like last_communicated_time - 6/1/2014 in days and assign it to a constant....so if the number increases, we are going to ignore assuming that the remediation tool tried but couldn't fix it.
Example: host X needs to be repaired only once.....we apply the remediation for the first time...if it shows up in the list again,i want to avoid it.
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If last_communicated_time is in epoch time
your search | eval NoOfDays=floor((now()-last_communicated_time)/(3600*24))
If its in string with specific format of date (say "%Y/%b/%d %H:%M:%S")
your search | eval NoOfDays=floor((now()-strptime(last_communicated_time,"%Y/%b/%d %H:%M:%S"))/(3600*24))
Updated Answer
sourcetype="dg_agents"|table agent_state dest_host is_communicating last_communicated_time os version
|eval Scope = if(agent_state="Terminated","In Scope",if(agent_state="Disabled","In Scope","Out of Scope"))
|where Scope = "In Scope"
| eval Days=floor((now()-strptime(last_communicated_time,"%Y-%m-%d %H:%M:%S.%3Q"))/(3600*24))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to use fixed timestamp (string format) instead of now() (epoch format), you would have to convert it to epoch before using.
(your example)
|eval Days=floor((strptime("2014-07-08 23:59:59.000","%Y-%m-%d %H:%M:%S.%3Q")-last_communicated_time)/(3600*24))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, is there a way to use a fixed timestamp instead of now()? Example:eval Days = floor((2014-07-08 23:59:59.000-last_communicated_time)/(3600*24)) ?My logic is to use one static value and one dynamic value and ignore if the count changes. Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect...This worked!!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try updated answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey somesoni2, Thank you for the quick answer. Here's the last_communicated_time format 2014-07-07 11:22:56.0 . Days column is all blank
Here's the search
sourcetype="dg_agents"|table agent_state dest_host is_communicating last_communicated_time os version|eval Scope = if(agent_state="Terminated","In Scope",if(agent_state="Disabled","In Scope","Out of Scope"))|eval Days = round((now()-last_communicated_time)/(3600*24))|where Scope = "In Scope"
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
