How to compare date time present in a log with the...

shannu1241 · ‎06-20-2015

I have a log, which has two time fields,

_time(Log indexed time)
StartDate (Date time inside the log)

When i select date range, it compares with _time.

Is there any way to compare date selected from date range with "StartDate" ?? Please help me.

lguinn2 · ‎06-20-2015

If the StartDate reflects when the event happened, then the StartDate should be stored in _time. You need to set this up using props.conf on the indexer (unless you are using a heavy forwarder to collect the data). Splunk only uses the time that it indexed the data when it can't find any other timestamp automatically and nothing is configured in props.conf to tell it how to parse. You should read Configure timestamps and fix your data.

There is no way to easily select the StartDate range, as all searches are based on _time. However, if you search over "All Time" or a sufficiently large time period (last 90 days, perhaps?), you can filter based on StartDate. For this to work, StartDate will need to be a Unix-formatted time. It might work something like this.

yoursearchcriteria
| eval Start = strptime(StartDate,"%m-%d-%Y")
| where Start >=relative_time(now(),"-7d@d")

This will select events that have a StartDate within the last week. For it to work, the timerange picker will have to select all events that might have a StartDate with an appropriate time.

How to compare date time present in a log with the date time selected from the time range picker?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms