Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Eval formula to display dates till 31st december where start day is determined by a formula

puneetkharband1
Path Finder
‎09-21-2017 11:01 AM

Hey Everyone I am trying to write an eval when a user enter an year it should return a date
formula works fine in excel DATE(F6,11,29)-WEEKDAY(DATE(F6,11,24))
F6 is user input for an year.

idea is to display the days from the days from thanksgiving to december 31st for any year I input.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎09-21-2017 03:09 PM

See this runanywhere search. Replace line1 with your search. What this does is for each year value, it first gets the thanksgiving day (getting 7day range from Nov-22 and getting the Thursday) and then calculates difference between that and year end.

| gentimes start=-1 | eval year=mvrange(2012,2021) | table year | mvexpand year 
| eval thanksgivingrangestart=strptime(year."/11/22","%Y/%m/%d")  | eval date=mvrange(thanksgivingrangestart,thanksgivingrangestart+(86400*7),86400) | eval date=strftime(date,"%a %F") | eval thanksgivingday=mvfilter(match(date,"Thu")) | fields - date thanksgivingrangestart | eval dayFromThanksGivingToYearEnd=round((strptime(year."/12/31","%Y/%m/%d")-strptime(thanksgivingday,"%a %F"))/86400)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎09-21-2017 05:16 PM

Hey @puneetkharbanda, if they solved your problem, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎09-21-2017 03:09 PM

See this runanywhere search. Replace line1 with your search. What this does is for each year value, it first gets the thanksgiving day (getting 7day range from Nov-22 and getting the Thursday) and then calculates difference between that and year end.

| gentimes start=-1 | eval year=mvrange(2012,2021) | table year | mvexpand year 
| eval thanksgivingrangestart=strptime(year."/11/22","%Y/%m/%d")  | eval date=mvrange(thanksgivingrangestart,thanksgivingrangestart+(86400*7),86400) | eval date=strftime(date,"%a %F") | eval thanksgivingday=mvfilter(match(date,"Thu")) | fields - date thanksgivingrangestart | eval dayFromThanksGivingToYearEnd=round((strptime(year."/12/31","%Y/%m/%d")-strptime(thanksgivingday,"%a %F"))/86400)
0 Karma
Reply
Solved! Jump to solution

puneetkharband1
Path Finder
‎09-22-2017 08:19 AM

thank you Somesh ...that will definitely bring me closer to what I am trying to do.

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎09-21-2017 11:58 AM

It's not clear in what format you need this, or where you expect to place it. Regardless of those difficulties, here's an option.

If you can do it in SPL - 

| gentimes start=12/25/2017 end=12/26/2017
| eval DaysToChristmas = round((starttime - now())/86400,0) 
| fields DaysToChristmas

That would require updating the new gentimes once per year. There's probably a workaround for that, but it's a 10 second fix once per year. Note you should also confirm that number - you might have to adjust it by + or - 1.

The logic is simple: in this case, line 1 is just to create a fake event on Christmas Day, 2017.
Line 2 first subtracts the current date and time now() from the time the gentimes created starttime, both of which are in seconds so we have to then divide by 86400 (the number of seconds in a day) to get days, then we round it to no decimals to get whole numbers.
Line 3 is only display that one field.

If you need to do this for a lot of events to see how far each is from Christmas, you can do it with similar logic in a regular search.

| mysearch ...
| eval DaysToChristmas = round((1514160001 - _time)/86400,0)

Same logic, essentially. Here I use the simpler "already converted to epoch format" number (I used Epoch Converter) and the event's _time, but otherwise it's the same.

Happy Splunking!
-Rich

0 Karma
Reply
Solved! Jump to solution

puneetkharband1
Path Finder
‎09-21-2017 01:57 PM

Hey Rich

I am actually calculating the difference between 2 dates where my year is dynamic based on the data.
In return I need to whole date in the same format
whole idea is to calculate the thanks giving day of the year also when I ll have thanks giving day as year-mon-day I need to print one week in the same format from that day.

2016
2015
2017

I tried this index="test" source="test" date=* mon=* year=* (STATDATE>=2016-11-22 AND STATDATE<=2016-11-30) SITE=USA | eval day_c = strftime(_time,"%Y-%m-%d") | eval enddate= year+"-11-29"| eval startdate= year+"-11-24" | eval DiffInSecs = strptime(enddate, "%Y-%m-%d")-strptime(startdate, "%Y-%m-%d") | eval td = strftime(DiffInSecs, "%Y-%m-%d %A") | table day_c td

but seems strftime doesnt work here

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...