Solved: Subtracting time from search, from another specifi...

raby1996 · ‎10-26-2015

Hi all,
Currently I have the following search-

| eval nowstring=strftime(now(), "%Y-%m-%d")
| eval nowstring2=strptime(nowstring, "%Y-%m-%d")
| eval TD= (nowstring2- it3)/86400

where I'm taking the difference between the time the search runs ( nowstring and nowstring2) and the time I'm extracting from my search (TD), however instead of the nowstring I would like compare the times from different months lets say 08/01/2015 so it would be the time difference between my event and or events and 08/01/2015 , is there any way that I can do this?
Thank you.

somesoni2 · ‎10-26-2015

First for your current query, you do it like this (to compare current day with timestamp in your events

 | eval nowstring=relative_time(now(), "@d")
 | eval TD= (nowstring- it3)/86400

For comparing against a specific date, you can do like this

| eval nowstring=strptime("2015-08-01", "%Y-%m-%d")
| eval TD= (nowstring- it3)/86400

For comparing against relative month start date, do like this

| eval nowstring=relative_time(now(), "@mon-2mon")
     | eval TD= (nowstring- it3)/86400

View solution in original post

somesoni2 · ‎10-26-2015

First for your current query, you do it like this (to compare current day with timestamp in your events

 | eval nowstring=relative_time(now(), "@d")
 | eval TD= (nowstring- it3)/86400

For comparing against a specific date, you can do like this

| eval nowstring=strptime("2015-08-01", "%Y-%m-%d")
| eval TD= (nowstring- it3)/86400

For comparing against relative month start date, do like this

| eval nowstring=relative_time(now(), "@mon-2mon")
     | eval TD= (nowstring- it3)/86400

raby1996 · ‎10-26-2015

Thank you!

Subtracting time from search, from another specified time

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!