Splunk Log - Date comparison

Question

I have configured my application logs over splunk and want to do the following -

1. Get events when the string has today's date
2. Get events when the string has tomorrow's date.

I have tried to write a query as below for #1, but it doesn't seem to return anything

REGAVAIL | eval Date=strftime(strptime(Date, "%m%d%Y"), "%m%d%Y") | where Date>= strftime(now(), "%m%d%Y")

My search string is REGAVAIL and all events are in the below format -

REGAVAIL|00958645030|8871|1|61745|01262017|0|N|N|Y|N|Y|N|N|O|O|O|O|O|O|O|1013|F REGAVAIL|00958647200|8871|1|61745|01282017|0|N|N|Y|N|Y|N|N|O|O|O|O|O|O|O|1013|F REGAVAIL|00958649200|8871|1|61745|01292017|0|N|N|Y|N|Y|N|N|O|O|O|O|O|O|O|1013|F

I want to first extract date from it - 01262017and then compare it with today's date. If the match is found, that event should be considered.

Any help would be appreciated!

Answer 1

1. This search creates two strings based on a. event _time and b. the current date using now(). Then we'll create a new field called match to contain Yes or No for whether the event _time matches the relative time that we've calculated.

   index=yourindex "REGAVAIL" | eval eventTime = strftime(_time, "%Y-%m-%d") | eval timeNow = strftime(relative_time(now(),"@d"), "%Y-%m-%d") | eval match=if(eventTime=timeNow, "Yes", "No") | search match="Yes"

2. The second search is pretty much the same. The only thing I've changed is the parameter sent to the relative_time function. It's now set to -1d@d which returns yesterday's date.

   index=yourindex "REGAVAIL" | eval eventTime = strftime(_time, "%Y-%m-%d") | eval timeNow = strftime(relative_time(now()," -1d@d "), "%Y-%m-%d") | eval match=if(eventTime=timeNow, "Yes", "No") | search match="Yes"

In theory you can modify this relative_time function to look 2 days ahead, 3 days behind etc.

Hope this helps. Shout if you have any problems.