Splunk Search

How can i display dates between two dates?

ajayabburi508
Path Finder

I have a log that has Start date=23/nov/2016 enddate=23/dec/2016.now i need to display the dates between the dates .

Tags (2)

sundareshr
Legend

Try this

... | eval start=strptime(startdate,"%d/%b/%Y") | eval end=strptime(enddate,"%d/%b/%Y") | eval between= mvrange(start, end, "1d") | mvexpand between

ajayabburi508
Path Finder

thanks sundareshr .
but while generating data its missing last date please help me out for that

0 Karma

ajayabburi508
Path Finder

my query like this

|makeresults| eval startdate="01/01/2016", enddate="01/31/2016"| eval start=strptime(startdate,"%m/%d/%Y"), end=strptime(enddate,"%m/%d/%Y")| eval between= mvrange(start, end, "1d") | mvexpand between | eval s=strftime("between","%d-%m-%y") |eval c_time=strftime(between,"%m/%d/%y") | table c_time,start,end,lines,pattern,daysapplicable,type,prirority

0 Karma

sundareshr
Legend

You could add a day to end, like so | eval between= mvrange(start, end+86400, "1d"). Having said that, the other option is to use gentimes, try this

| gentimes start="01/01/2016", end="02/01/2016" increment=1d | rename *human as *time | table *time, lines,pattern,daysapplicable,type,prirority
0 Karma

ajayabburi508
Path Finder

thanks bro

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Dates must be converted into epoch form before they can be compared. Use something like this. It will give the difference between the two dates in seconds.

... | eval eStartDate=strptime(startdate,"%d/%b/%Y") | eval eEndDate=strptime(enddate,"%d/%b/%Y") | eval diff = eEndDate-eStartDate | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...