Solved: Compare date in search

twtyj · ‎09-18-2016

I have events containing field "Agent_Local_Time="9/19/2016 1:36:19 PM", I use EVAL to format the time "eval final_time=strftime(strptime(Agent_Local_Time,"%m/%d/%Y %l:%M:%S %p"),"%Y-%b-%d")" and also I EVAL start_time and end_time as below:
start_date=strptime("3/1/2016","%m/%d/%Y")
end_date=strptime("8/31/2016","%m/%d/%Y")

can i compare final_time between start_date and end_date like below:
| where final_time>start_time AND final_time<end_time

is there any solution if it can't.

thanks.

somesoni2 · ‎09-19-2016

You can keep (at least temporarily) the format of final_time to epoch and then you can compare it with start_time and end_time, like this

...your search | eval final_time=strptime(Agent_Local_Time,"%m/%d/%Y %l:%M:%S %p") | evalstart_date=strptime("3/1/2016","%m/%d/%Y") | eval end_date=strptime("8/31/2016","%m/%d/%Y")
| where final_time>start_time AND final_time<end_time |eval final_time=strftime(final_time,"%Y-%b-%d")

View solution in original post

twtyj · ‎09-19-2016

thanks, it works now.

somesoni2 · ‎09-19-2016

You can keep (at least temporarily) the format of final_time to epoch and then you can compare it with start_time and end_time, like this

...your search | eval final_time=strptime(Agent_Local_Time,"%m/%d/%Y %l:%M:%S %p") | evalstart_date=strptime("3/1/2016","%m/%d/%Y") | eval end_date=strptime("8/31/2016","%m/%d/%Y")
| where final_time>start_time AND final_time<end_time |eval final_time=strftime(final_time,"%Y-%b-%d")

Compare date in search

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor