Solved: How to create a variable that contains a date X da...

HattrickNZ · ‎02-25-2016

I am looking to create a variable that contains a date X days in the past from now.

How do I do this?

This is a fixed date in the past:

| eval mylimit=strptime("28 may 2013","%d %b %Y") | table mylimit |

This then converts the above to a date format that I want:

| eval mylimit2=strftime(mylimit, "%d/%m/%Y")

However, I want this to be relative to today and stored in a variable that I can use in a search.

possible related Q

aladda_splunk · ‎02-25-2016

This might help. Toggle the # of days back in time by changing from -1 to however far back in time you want to go

| eval aaa=relative_time(now(),"-1d") | eval bbb=strftime(aaa,"%d/%m/%Y")

View solution in original post

aladda_splunk · ‎02-25-2016

This might help. Toggle the # of days back in time by changing from -1 to however far back in time you want to go

| eval aaa=relative_time(now(),"-1d") | eval bbb=strftime(aaa,"%d/%m/%Y")

HattrickNZ · ‎02-25-2016

that works.

somesoni2 · ‎02-25-2016

You can use the function relative_time (available with eval and where) to get a relative date from a date field (epoch value). See this run anywhere sample)

| gentimes start=-1 |  eval SameDayLastWeek=relative_time(now(),"-1w") | eval SameDayLastMonth=relative_time(now(),"-1mon") | eval Today=now()| convert ctime(*)

HattrickNZ · ‎02-25-2016

tks good to know but will got with aladda answer as it more suits my requirements.tks

How to create a variable that contains a date X days in the past relative to now?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!