Solved: How to do operations with dates fields?

bruno_eduardo · ‎11-04-2014

Got a date field that I would like to return only events that were within a specific range, from today to 15 days in the future.
To get today:
|eval timenow=now() |eval nowstring=strftime(now(),"%d/%m/%Y %H:%M:%S")
|table nowstring
04/11/2014 10:35:59

My date field is already like this:
|table "Resolution Period"
27/01/2014 23:59:59

But when I try a simple search like this:
|where "Resolution Period" > nowstring |table "Resolution Period"
I still got all events, unfiltered. Do I need to change something on the "Resolution Period"??

And How to return only events that were within a specific range, from today to 15 days in the future.???

Thanks in advance

MuS · ‎11-04-2014

Hi bruno_eduardo,

I would compare epoch times not human readable time stamps.

So something like this will do it:

... | eval now_time=now() 
| convert mktime("Resolution Period") AS Resolution_Period
| where Resolution_Period > now_time
| table Resolution_Period

regarding the future timestamp you can try this:

... | eval future_time=relative_time(now(), "+15d") | ...

this will return an epoch timestamp as well.

hope this helps ....

cheers, MuS

View solution in original post

MuS · ‎11-04-2014

Hi bruno_eduardo,

I would compare epoch times not human readable time stamps.

So something like this will do it:

... | eval now_time=now() 
| convert mktime("Resolution Period") AS Resolution_Period
| where Resolution_Period > now_time
| table Resolution_Period

regarding the future timestamp you can try this:

... | eval future_time=relative_time(now(), "+15d") | ...

this will return an epoch timestamp as well.

hope this helps ....

cheers, MuS

How to do operations with dates fields?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...