https://community.splunk.com/t5/Alerting/Help-with-query-to-notify-when-date-is-older-than-x-amount-of/m-p/584627#M13458 <P>Hi all,</P> <P>&nbsp;</P> <P>I have a table called&nbsp;active_services.csv.<BR />One of the fields is called&nbsp;<A href="https://gdcsplunk/en-AU/app/tpa/search?q=%7C%20from%20inputlookup%3A%22telstra_nbn_active_services.csv%22&amp;sid=1644549613.4958167_2191905C-3D94-4E49-8B9F-1F31FD275CDD&amp;earliest=-24h%40h&amp;latest=now&amp;display.statistics.sortColumn=Report_Date&amp;display.statistics.sortDirection=desc&amp;display.page.search.mode=smart&amp;dispatch.sample_ratio=1&amp;display.general.type=statistics#" target="_blank" rel="noopener">Report_Date</A></P> <P>Date value is in the following format&nbsp;<SPAN>20220124.<BR />The CSV file is automatically updated weekly but sometimes fails and requires manual intervention.<BR /></SPAN></P> <P><SPAN>I need help with a query so I can setup an alert to notify me when the report date value is older than X amount of days.<BR /><BR />Please help.</SPAN></P> <P><SPAN>Thank you for your help in advance.</SPAN></P> Fri, 11 Feb 2022 16:55:49 GMT goken 2022-02-11T16:55:49Z https://community.splunk.com/t5/Alerting/Help-with-query-to-notify-when-date-is-older-than-x-amount-of/m-p/584627#M13458 <P>Hi all,</P> <P>&nbsp;</P> <P>I have a table called&nbsp;active_services.csv.<BR />One of the fields is called&nbsp;<A href="https://gdcsplunk/en-AU/app/tpa/search?q=%7C%20from%20inputlookup%3A%22telstra_nbn_active_services.csv%22&amp;sid=1644549613.4958167_2191905C-3D94-4E49-8B9F-1F31FD275CDD&amp;earliest=-24h%40h&amp;latest=now&amp;display.statistics.sortColumn=Report_Date&amp;display.statistics.sortDirection=desc&amp;display.page.search.mode=smart&amp;dispatch.sample_ratio=1&amp;display.general.type=statistics#" target="_blank" rel="noopener">Report_Date</A></P> <P>Date value is in the following format&nbsp;<SPAN>20220124.<BR />The CSV file is automatically updated weekly but sometimes fails and requires manual intervention.<BR /></SPAN></P> <P><SPAN>I need help with a query so I can setup an alert to notify me when the report date value is older than X amount of days.<BR /><BR />Please help.</SPAN></P> <P><SPAN>Thank you for your help in advance.</SPAN></P> Fri, 11 Feb 2022 16:55:49 GMT https://community.splunk.com/t5/Alerting/Help-with-query-to-notify-when-date-is-older-than-x-amount-of/m-p/584627#M13458 goken 2022-02-11T16:55:49Z https://community.splunk.com/t5/Alerting/Help-with-query-to-notify-when-date-is-older-than-x-amount-of/m-p/584666#M13459 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/174547">@goken</a>,</P><P>I suppose that you are ingesting the&nbsp;<SPAN>active_services.csv in an index.</SPAN></P><P><SPAN>So you could run a search like this (where X=30 days):</SPAN></P><LI-CODE lang="markup">index=your_index | eval Diff=strptime(Report_Date,"%Y%m%d")-86400*30 | where Diff&gt;0</LI-CODE><P>&nbsp;In this way, if you have results there are events outdated and you can create an alert with this search.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 11 Feb 2022 07:47:29 GMT https://community.splunk.com/t5/Alerting/Help-with-query-to-notify-when-date-is-older-than-x-amount-of/m-p/584666#M13459 gcusello 2022-02-11T07:47:29Z https://community.splunk.com/t5/Alerting/Help-with-query-to-notify-when-date-is-older-than-x-amount-of/m-p/584667#M13460 <LI-CODE lang="markup">| eval days=floor((relative_time(now(),"@d")-strptime(report_date,"%Y%m%d"))/(60*60*24))</LI-CODE> Fri, 11 Feb 2022 07:51:42 GMT https://community.splunk.com/t5/Alerting/Help-with-query-to-notify-when-date-is-older-than-x-amount-of/m-p/584667#M13460 ITWhisperer 2022-02-11T07:51:42Z