Splunk Search

How to calculate number of days between the beginning of the month to a date within the same month?

ASISH_9
Engager

Let's say the date is 20th of feb, 2017. I need to calculate the number of days starting from 1st feb, 2017 till 20th feb, 2017 ie 20 days. How can I calculate this?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Assuming you've a field "date" with format "%Y-%m-%d", you can do something like this (run anywhere sample, replace first two lines with your base search)

| makeresults | eval date="2017-02-20" | table date | eval startOfMonth=relative_time(strptime(date,"%Y-%m-%d"),"@mon") | eval noOfDays=round((strptime(date,"%Y-%m-%d")-startOfMonth)/86400+1)
0 Karma

sjbriggs
Path Finder

I have a report that runs every day and is doing calculations based on the number of days that have occurred so far.  After pulling my hair out and using a variety of techniques posted in these forums, I ended up with:

| eventstats dc(date_mday) AS daysInMonth

Unless i'm mistaken, the date_* fields are automatically generated in splunk (at least all the data i've seen has them) and this was the easiest and most reliable method I found.

0 Karma

cmerriman
Super Champion

are the dates you are calculating between values in fields? Are they the range from the time picker?

If they are values in fields, it'd be as simple as |eval daysBetween=round((time2-time1)/86400,0) given that the time fields are in epoch, if not, you'll need to do some more evaling with either strftime

If the values are from the time picker, use

|gentimes start=-1 | addinfo | dedup info_min_time info_max_time 
          | eval daysBetween=round((info_max_time-info_min_time)/86400,2)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...