Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Date Comparison with current date

rohankin
New Member
‎10-25-2019 11:36 AM

Hi,

I am trying to display results in separate panels based on date fields in my dataset. I want to display results where Date1 is less than 7 days from current date and
in separate panel , I want to display results where Date 2 is less than 7 days from current date.

I tried using eval but it doesn't provide any results

Queries that I tried:
|inputlookup devices_lookup |eval _time=strptime(Date1, "%m/%d/%Y") |search latest=-7d

|inputlookup devices_lookup |eval Test=substr(Date2, 0,10)| eval _time=strptime(Date2, "%m/%d/%Y") |search latest=-7d

Is there any way to perform this using standard date functions as I have NULL values in Date1, Date2 columns too which I want to handle.
I have also attached sample data here. alt text

Thanks !
Rohan K

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-25-2019 12:50 PM

Like this:

|inputlookup devices_lookup
| eval _time=strptime(Date1, "%m/%d/%Y")
| where _time <= relative_time(now(), "-7d")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-25-2019 12:50 PM

Like this:

|inputlookup devices_lookup
| eval _time=strptime(Date1, "%m/%d/%Y")
| where _time <= relative_time(now(), "-7d")
0 Karma
Reply
Solved! Jump to solution

koreamit3483
Explorer
‎12-09-2021 06:08 AM

I have a query on top of this.. 

What if i want to use the token instead of "Date1" ?

means the date which is being selected from drop down.

0 Karma
Reply
Solved! Jump to solution

rohankin
New Member
‎10-30-2019 05:43 AM

Thanks ! That worked. I just noticed my data also has many rows where date is "12/31/1969 07:10 pm" which is UNIX timestamp 0. strptime doesnt work on that. Any suggestion on how I should handle this ?
I am thinking of changing that date to "0" or "missing" to reflect the fact that "Date" field is not being populated for those devices.

Any idea how should I do that ?

Thanks !
Rohan K.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-31-2019 12:38 PM

Fix your data onboarding. DO NOT LET SPLUNK GUESS WHERE/WHAT THE TIMESTAMP IS! Google splunk Magic 8.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...