Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I configure a search to count 14 days between now and a timestamp within my event?

jmaple
Communicator
‎12-14-2016 01:45 PM

We've ingested some database tables for data that consists of changes being made in our environment. I'm looking to create a report that counts out two weeks at a time to find the next tasks that will occur. The timestamp we are reading is its own column so I evaluated that timestamp to a date and evaluated now.

[base search] | eval start=strptime(PLANNED_START,"%Y-%m-%d %H:%M:%S.%Q") | eval startDate=strftime(start,"%Y-%m-%d") | eval now=now()| eval todayDate=strftime(now,"%Y-%m-%d") | [table output]

From here, I want to be able to evaluate 14 days between "todayDate" and "startDate". What would be the best way to achieve this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-14-2016 05:29 PM

So, based on the comment, here is how to do what you want.

yoursearchhere
| eval start=strptime(PLANNED_START,"%Y-%m-%d %H:%M:%S.%Q") 
| eval boundaryDate = relative_time(now(),"+14d")
| where start <= boundaryDate
| table whateveryouwant

The relative_time function is super useful...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-14-2016 05:29 PM

So, based on the comment, here is how to do what you want.

yoursearchhere
| eval start=strptime(PLANNED_START,"%Y-%m-%d %H:%M:%S.%Q") 
| eval boundaryDate = relative_time(now(),"+14d")
| where start <= boundaryDate
| table whateveryouwant

The relative_time function is super useful...

0 Karma
Reply
Solved! Jump to solution

jmaple
Communicator
‎12-14-2016 07:31 PM

Doesn't seem to have the desired effect. It does cut the number of events down so it's doing something but it doesn't seem to be limited to the 14 days I want it to be limited to.

0 Karma
Reply
Solved! Jump to solution

jmaple
Communicator
‎12-15-2016 07:07 AM

Going on your solution, I also evaluated "now" to its own value and limited it by only showing events where the start time is > now

 yoursearchhere
 | eval start=strptime(PLANNED_START,"%Y-%m-%d %H:%M:%S.%Q") 
 | eval boundaryDate = relative_time(now(),"+14d")
 | eval now=now()
 | where start <= boundaryDate
 | where start > now
 | table whateveryouwant
0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎12-14-2016 03:10 PM

First, "find the next tasks that will occur" sounds like you are looking for future events. And I don't know what "evaluate 14 days" means either.
Can you explain your input and your desired output?

0 Karma
Reply
Solved! Jump to solution

jmaple
Communicator
‎12-14-2016 03:43 PM

So the PLANNED_START field is a column from a table in which a user inputs the value of when they plan to start the task (the task being the whole event itself). I'm trying to create a report that reads the "startDate" field and determines if the date is within the next two weeks from when the report is ran.

Ideally this would be run every morning and show two weeks of tasks from that moment (todayDate).

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...