https://community.splunk.com/t5/Dashboards-Visualizations/How-to-filter-Splunk-field-results-by-time/m-p/596191#M48884 <P>I'm currently building a query that will pull data from today to April 26th,&nbsp;</P> <P>the field value contains the following time format&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">termination_initiated (field value name) 2022-05-02T11:47:01.011-07:00 2022-05-02T11:42:10.820-07:00</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;I'm currently trying to convert is so that i can only get results between today and April 26th.<BR /><BR />I've tried this piece of code with no luck</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| eval terminiation_started=strptime(termination_initiated,"%Y-%m-%dT %H:%M:%S.%QZ") | where termination_started&gt;=relative_time(now(),"-6d@d")</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 02 May 2022 20:12:07 GMT tayvionp 2022-05-02T20:12:07Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-filter-Splunk-field-results-by-time/m-p/596191#M48884 <P>I'm currently building a query that will pull data from today to April 26th,&nbsp;</P> <P>the field value contains the following time format&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">termination_initiated (field value name) 2022-05-02T11:47:01.011-07:00 2022-05-02T11:42:10.820-07:00</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;I'm currently trying to convert is so that i can only get results between today and April 26th.<BR /><BR />I've tried this piece of code with no luck</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| eval terminiation_started=strptime(termination_initiated,"%Y-%m-%dT %H:%M:%S.%QZ") | where termination_started&gt;=relative_time(now(),"-6d@d")</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 02 May 2022 20:12:07 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-filter-Splunk-field-results-by-time/m-p/596191#M48884 tayvionp 2022-05-02T20:12:07Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-filter-Splunk-field-results-by-time/m-p/596192#M48885 <P>The <FONT face="courier new,courier">strptime</FONT> format string doesn't match the example data.&nbsp; Try</P><P>&nbsp;</P><LI-CODE lang="markup">"%Y-%m-%dT%H:%M:%S.%3N%:z"</LI-CODE><P>&nbsp;</P> Mon, 02 May 2022 20:45:49 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-filter-Splunk-field-results-by-time/m-p/596192#M48885 richgalloway 2022-05-02T20:45:49Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-filter-Splunk-field-results-by-time/m-p/596210#M48886 <P>Aside from&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;comment about format issues, if this is the real query</P><LI-CODE lang="markup">| eval terminiation_started=strptime(termination_initiated,"%Y-%m-%dT %H:%M:%S.%QZ") | where termination_started&gt;=relative_time(now(),"-6d@d")</LI-CODE><P>then the name '<STRONG>terminiation_started</STRONG>' has an extra 'i', so is not the field you are using in the where clause.</P><P>Second issue: Is that example a single event containing two values of the field?</P><P>If so, then the logic will not work anyway with the changes suggested.</P><P>If it's a multivalue field then you would need something like this</P><LI-CODE lang="markup">| eval rt=relative_time(now(),"-6d@d") | where tonumber(max(mvmap(termination_started, if(termination_started&gt;=rt, 1, 0))))&gt;0</LI-CODE><P>Also, is your _time field different to this termination initiation field?&nbsp;</P> Tue, 03 May 2022 02:55:05 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-filter-Splunk-field-results-by-time/m-p/596210#M48886 bowesmana 2022-05-03T02:55:05Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-filter-Splunk-field-results-by-time/m-p/596249#M48892 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;Thanks, the _time value is indeed different from the "termination_started" field. Also, the 2 values are the first 2 results. They aren't multi-value</P><P>&nbsp;</P> Tue, 03 May 2022 13:05:42 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-filter-Splunk-field-results-by-time/m-p/596249#M48892 tayvionp 2022-05-03T13:05:42Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-filter-Splunk-field-results-by-time/m-p/596553#M48912 <P>Thanks this was the needed format</P> Thu, 05 May 2022 15:37:03 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-filter-Splunk-field-results-by-time/m-p/596553#M48912 tayvionp 2022-05-05T15:37:03Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-filter-Splunk-field-results-by-time/m-p/596568#M48915 <P>If your problem is resolved, then please click the "Accept as Solution" button to help future readers.</P> Thu, 05 May 2022 16:44:27 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-filter-Splunk-field-results-by-time/m-p/596568#M48915 richgalloway 2022-05-05T16:44:27Z