Splunk Log - Date comparison

Question

I have configured my application logs over splunk and want to do the following -

Get events when the string has today's date
Get events when the string has tomorrow's date.

I have tried to write a query as below for #1, but it doesn't seem to return anything

REGAVAIL | eval Date=strftime(strptime(Date, "%m%d%Y"), "%m%d%Y") | where Date>= strftime(now(), "%m%d%Y")

My search string is REGAVAIL and all events are in the below format -

REGAVAIL|00958645030|8871|1|61745|01262017|0|N|N|Y|N|Y|N|N|O|O|O|O|O|O|O|1013|F REGAVAIL|00958647200|8871|1|61745|01282017|0|N|N|Y|N|Y|N|N|O|O|O|O|O|O|O|1013|F REGAVAIL|00958649200|8871|1|61745|01292017|0|N|N|Y|N|Y|N|N|O|O|O|O|O|O|O|1013|F

I want to first extract date from it - 01262017and then compare it with today's date. If the match is found, that event should be considered.

Any help would be appreciated!

Are your events just getting a timestamp of _indextime? i.e. as soon as they arrive in your application log they are being sent to Splunk by a UF/HF? — Urbley, Jan 23 '17 at 13:41

Urbley · Accepted Answer · 2017-01-24T11:28:38.737

3

This search creates two strings based on a. event _time and b. the current date using now(). Then we'll create a new field called match to contain Yes or No for whether the event _time matches the relative time that we've calculated.

index=yourindex "REGAVAIL" | eval eventTime = strftime(_time, "%Y-%m-%d") | eval timeNow = strftime(relative_time(now(),"@d"), "%Y-%m-%d") | eval match=if(eventTime=timeNow, "Yes", "No") | search match="Yes"
The second search is pretty much the same. The only thing I've changed is the parameter sent to the relative_time function. It's now set to -1d@d which returns yesterday's date.

index=yourindex "REGAVAIL" | eval eventTime = strftime(_time, "%Y-%m-%d") | eval timeNow = strftime(relative_time(now(),"-1d@d"), "%Y-%m-%d") | eval match=if(eventTime=timeNow, "Yes", "No") | search match="Yes"

In theory you can modify this relative_time function to look 2 days ahead, 3 days behind etc.

Hope this helps. Shout if you have any problems.

edited Jan 24 '17 at 11:28

answered Jan 23 '17 at 14:20

Urbley

706
6
15

Thanks. How should I replace EventDate? I don't have any such column based setup. Event appears exactly like the picture above. I am using _time to pick the events date. I just need a mechanism now to pick the date from the event -- 01262017. – Bhaskar Jan 24 '17 at 07:16
1

EventDate is being regex'd out of the _raw event. You don't need to replace it. If you run the above (obviously putting in your index name first) does it not return today's events? – Urbley Jan 24 '17 at 09:00
Thanks a lot. Finally I could figure out that below queries would work for me but I got all good pointers from you. Thanks again!! index=* REGAVAIL | rex field=_raw "^(?:[^\\|\\n]*\\|){5}(?P\\d+)" | eval eventTime = strftime(strptime(DateField, "%m%d%Y"), "%Y-%m-%d") | eval timeNow=strftime(_time,"%Y-%m-%d") | eval match=if(eventTime=timeNow, "Yes", "No") | search match="Yes" – Bhaskar Jan 24 '17 at 14:09
index=* REGAVAIL | rex field=_raw "^(?:[^\\|\\n]*\\|){5}(?P\\d+)" | eval eventTime = strftime(strptime(DateField, "%m%d%Y"), "%Y-%m-%d") | eval timeNow=strftime(_time,"%Y-%m-%d") | eval match=if(eventTime=timeNow, "Yes", "No") | search match="No" | eval diff = toNumber(strptime(eventTime, "%Y-%m-%d") - (strptime(timeNow, "%Y-%m-%d")))/3600 | where diff>=24 and diff <48| sort _time asc – Bhaskar Jan 24 '17 at 14:10

Splunk Log - Date comparison

1 Answers1