Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for Entries Between DateTime field value?

akpuvvada
Engager
‎02-14-2023 12:33 PM

I am trying to find entries between a date-time range based on a field in the event 'Date'. It date-time value of the field is in the format - %Y-%m-%d %H:%M:%S.

 

I am using below query:

 

 

 

(index=myindex) ((strptime(Date, "%Y-%m-%d %H:%M:%S")>=strptime("2023-02-11 00:00:00", "%Y-%m-%d %H:%M:%S")) AND (strptime(Date, "%Y-%m-%d %H:%M:%S")>=strptime("2023-02-11 23:59:59", "%Y-%m-%d %H:%M:%S")))

 

 

 

 

It is giving me below Error:

 

 

 

Error in 'search' command: Unable to parse the search: Comparator '>=' has an invalid term on the left hand side: (Date "%Y-%m-%d %H:%M:%S").

 

 

 

 

Sample Data:

 

 

 

{
  "InterfaceNumber": "I-XXXX",
  "SystemCode": "sys",
  "Element": "JobID:bw0a104of",
  "Data": "",
  "Severity": "Error",
  "ProcessContext_ProcessId": "bw0a104of",
  "Subject": "/api/login",
  "Date": "2023-02-14 12:25:01",
  "ErrorMessages": "This is an Error",
  "ProcessContext_ProjectName": "MyApp.application",
  "HostName": "localhost.mydomain.com",
  "ProcessContext_RestartedFromCheckpoint": false,
  "ProcessContext_EngineName": "MyApp"
 }

 

 

 

 

Not sure what I am doing wrong. Any help appreciated.

--

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-14-2023 01:00 PM

You can't do these type of criteria on the search command, as parsing data has to be done in the eval - unless you set up a calculated field that does these evals for you.

This is how you would do it

(index=myindex) 
| eval Date_value=strptime(Date, "%Y-%m-%d %H:%M:%S")
| eval min_Date=strptime("2023-02-11 00:00:00", "%Y-%m-%d %H:%M:%S")
| eval max_Date=strptime("2023-02-12 00:00:00", "%Y-%m-%d %H:%M:%S")
| where (Date_value >= min_Date AND Date_value < max_Date

Note that your second comparison said >= but I imagine you means <=.

However, I also changed the second strptime for end date to be 00:00:00 on the 12th and used less than rather than <=, as yours will miss any events that come in between 23:59:59 and 00:00:00 (1000 milliseconds gap).

Note that your data range is always searched by the _time field, so if your Date field has the same value as the _time field, then you don't need any of this, you just use earliest/latest values in the search or time picker.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-14-2023 01:00 PM

You can't do these type of criteria on the search command, as parsing data has to be done in the eval - unless you set up a calculated field that does these evals for you.

This is how you would do it

(index=myindex) 
| eval Date_value=strptime(Date, "%Y-%m-%d %H:%M:%S")
| eval min_Date=strptime("2023-02-11 00:00:00", "%Y-%m-%d %H:%M:%S")
| eval max_Date=strptime("2023-02-12 00:00:00", "%Y-%m-%d %H:%M:%S")
| where (Date_value >= min_Date AND Date_value < max_Date

Note that your second comparison said >= but I imagine you means <=.

However, I also changed the second strptime for end date to be 00:00:00 on the 12th and used less than rather than <=, as yours will miss any events that come in between 23:59:59 and 00:00:00 (1000 milliseconds gap).

Note that your data range is always searched by the _time field, so if your Date field has the same value as the _time field, then you don't need any of this, you just use earliest/latest values in the search or time picker.

 

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...