How to Find the Dates Greater than a Specific Date in SPLUNK

Lets say we have a time format field in splunk. We want the dates greater than the specific date.

We can find the dates which are greater than the specific date by the below queries.

 

Example 1 :

index=”nissan” sourcetype=”csv”
| table Opened
| eval EpochOpened=strptime(Opened,”%m/%d/%Y %H:%M”)
| eval Month=strftime(EpochOpened,”%m”),
Date=strftime(EpochOpened,”%d”),
Year=strftime(EpochOpened,”%Y”)
| search Date > 29 AND Month > 03 AND Year > 2016

 

Result:

SC11

Explanation:

In the above query “Opened” is the existing field name in the “nissan” index and sourcetype name is “csv”.

At first we have taken the “Opened” field by the “table” command. Then we have used the “strptime” function with the “eval” command to convert the time format field “Opened” into epochtime and taken the epochtime in “EpochOpened” field.After that we have formatted the date in “Month” , “Date” and “Year” fields separately from the “EpochOpened” field.At last by the “search” command we have find those date which is greater than 29th March 2016.

***********************************************************************************

Example 2:

index=”nissan” sourcetype=”csv”
| table Opened
| eval EpochOpened=strptime(Opened,”%m/%d/%Y %H:%M”)
| eval MyTime=”4/30/2018″
| eval EpochTimeMyTime=strptime(MyTime,”%m/%d/%Y”)
| where EpochOpened > EpochTimeMyTime

 

Result:

SC_2

Explanation:

In the above query “Opened” is the existing field name in the “nissan” index and sourcetype name is “csv”.

At first we have taken the “Opened” field by the “table” command. Then we have used the “strptime” function with the “eval” command to convert the time format field “Opened” into epochtime and taken the epochtime in “EpochOpened” field. After that by the “eval” command we have taken a specific date as “MyTime”. Then  we have used the “strptime” function with the eval command to convert the time format field “MyTime “ into epochtime and taken the epochtime in “EpochMyTime” field. Then we have compared the two epochtime fields by the where “commnd” and got those dates which are greter than the “MyTime” field.

 

Hope this has helped you in achieving the below requirement without fail :

How to Find the Dates Greater than a Specific Date in SPLUNK

Happy Splunking !!

 

 

 

Advertisements