Solved: Display rows not older than 1 day based in a date ...

rsokolova · ‎11-09-2017

Thanks in advance.

We are trying to display the rows where the column is not older than 1 day and this has to be done comparing columns.

Example today is 11/9/2017 and we are trying to just to display the data from yesterday and today based in the Return_Date column.

This is only data that we would need to see.

LCM_BRogerson · ‎11-09-2017

Hi @rsokolova

To get the current date and time in epoch format you can use:
| eval timenow=now()
To get a date/time relative to now you can use:
| eval yesterday=relative_time(now(), "-1d@d")
In order to compare dates they need to be in the same format, so convert the time to the same format as your return date field:
| eval yesterday=strftime(relative_time(now(), "-1d@d"), "%d-%b-%y)
Before your table, you can add a where clause to remove the data you don't want.
| where Return_Date>=yesterday

Hope this helps.

View solution in original post

LCM_BRogerson · ‎11-09-2017

Hi @rsokolova

To get the current date and time in epoch format you can use:
| eval timenow=now()
To get a date/time relative to now you can use:
| eval yesterday=relative_time(now(), "-1d@d")
In order to compare dates they need to be in the same format, so convert the time to the same format as your return date field:
| eval yesterday=strftime(relative_time(now(), "-1d@d"), "%d-%b-%y)
Before your table, you can add a where clause to remove the data you don't want.
| where Return_Date>=yesterday

Hope this helps.

Display rows not older than 1 day based in a date column

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...