Splunk Search

Compare a date field with current date

rbw78
Communicator

Hello,

I have some events into splunk which I would like to compare with today's date less than 30 days.
I want to exctract all the events which are older than 30 days like this.

The date field in the events has this form : Date="2012-09-24" which is %Y-%m-%d

How could I get the current splunk date in my search and make a compare with the date field ?
I suppose the use of epoch values ​​as proposed here could be a solution once the current date obtained.

http://splunk-base.splunk.com/answers/37272/compare-two-date

Thanks.

Tags (2)
1 Solution

reed_kelly
Contributor

To get the current date, you can just add:

|eval timenow=now()

This gets epoch time into the field timenow. If you want to format it, you can use strftime:

|eval nowstring=strftime(now(), "%Y-%m-%d")

If you want to convert your date to an epoch time:

|eval epochdate=strptime(yourdate, "%Y-%m-%d")

You can also use relative_time to find the epoch value of 30 days ago:

|eval epoch30days_ago=relative_time(now(), "-30d@d" )

This could be used to do a direct comparison with the strptime value from above.

Finally, you can do the strptime and set it to _time. This would allow you to set the time range directly:

|eval _time=strptime(yourdate, "%Y-%m-%d") |search latest=-30d

View solution in original post

reed_kelly
Contributor

To get the current date, you can just add:

|eval timenow=now()

This gets epoch time into the field timenow. If you want to format it, you can use strftime:

|eval nowstring=strftime(now(), "%Y-%m-%d")

If you want to convert your date to an epoch time:

|eval epochdate=strptime(yourdate, "%Y-%m-%d")

You can also use relative_time to find the epoch value of 30 days ago:

|eval epoch30days_ago=relative_time(now(), "-30d@d" )

This could be used to do a direct comparison with the strptime value from above.

Finally, you can do the strptime and set it to _time. This would allow you to set the time range directly:

|eval _time=strptime(yourdate, "%Y-%m-%d") |search latest=-30d

twh1
Communicator

Hi @reed.kelly,
How we can get the epoch time for relative time like -7d@h.

earliest = -7d@h

0 Karma

reed_kelly
Contributor

I think that is in my answer.
| makeresults
| fields - _time
| eval seven_days_on_hour=relative_time(now(), "-7d@h" )
Does that answer it?

0 Karma

twh1
Communicator

Hi @reed.kelly ,
Yes, we can get this for fixed time.

I want to check the records for which CREATE_TIME match based on my date selection from time picker control. Currently I am using below query, which is always checking only for today's date.

index=os_na sourcetype="oracle_os:healthcheck" "ADR Home =" | multikv | table HOSTNAME INCIDENT_ID PROBLEM_KEY CREATE_TIME TIMESTAMP | dedup INCIDENT_ID | eval create_day=substr(CREATE_TIME, 1, 10) | eval now_day = strftime(now(), "%m/%d/%Y") | where INCIDENT_ID!=" " AND create_day==now_day

Could you please help me to get desired result.

0 Karma

reed_kelly
Contributor

I have some thoughts, but this question deserves its own top-level question so that others can offer their own insight. Also, people looking for answers to questions like yours will find a more targeted answer. Don't be afraid to open a whole new question 🙂

0 Karma

twh1
Communicator
0 Karma

skender27
Contributor

Hi,

Thanks for this answer.
And how to control if some date and time is after or before a certain date and time (let's say in epoch time)?

Skender

0 Karma

rbw78
Communicator

I tried with the following lines in my search and it works now.

eval epochevent=strptime(N_patch, "%Y/%m/%d") | eval epoch30daysago=relative_time(now(), "-30d@d" ) | where epoch30daysago>=epochevent

Thanks for your help !

0 Karma

Ayn
Legend

Do you mean that the date field is different from the event's timestamp? So you want to compare the timestamp to some date in the event?

0 Karma

in22915110
Engager

Hi,

I want to compare the event time to less than Tuesday 2PM of every week, Could you please let me know if this is possible??

Thanks,
Anilkumar

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...