topic Re: Pulling 1-day old records in Splunk Search

Pulling 1-day old records

vnguyen46 — Tue, 03 Sep 2019 18:54:25 GMT

Hi,

Let say I have field lastTime (sample value lastTime = 09/01/2019 11:52:31). There are records with lastTime reported > 1 day (24 hours) that I'd like to set the alert on. Is there a way I can pull these records?

Thanks,

Re: Pulling 1-day old records

richgalloway — Tue, 03 Sep 2019 21:04:50 GMT

Is lastTime the same as _time? Are you looking for lastTime values more than 24 hours in the past or in the future?

Re: Pulling 1-day old records

vnguyen46 — Tue, 03 Sep 2019 21:35:09 GMT

Thanks for helping. lastTime is a variable with value like 08/26/2019 11:20:01, but yes it can be the same as _time.
I mean 24 hr to the future. Let say: latencyTime = (now - lastTime) if latencyTime >24 hours, then fire the alert.

Re: Pulling 1-day old records

richgalloway — Tue, 03 Sep 2019 23:36:17 GMT

So to clarify further, lastTime can be the same as _time, but not always?
You say 24 hours to the future, but your example SPL computes 24 hours in the past. Which is correct?

Re: Pulling 1-day old records

KARANMALHOTRA — Wed, 04 Sep 2019 05:56:39 GMT

Are you trying to identify latency between the events getting generated and the time that they are indexed?

Re: Pulling 1-day old records

vnguyen46 — Wed, 30 Sep 2020 02:04:04 GMT

Hi richgalloway - thanks again for giving help. I found an answer to another question and I think it's helpful:
... | eval ddate_epoch = strptime(ddate, "%Y-%m-%d %H:%M:%S") | eval diff_seconds = now() - ddate_epoch | eval diff_days = diff_seconds / 86400

In my case, if diff_days>1 triggering an alert.

Re: Pulling 1-day old records

richgalloway — Wed, 04 Sep 2019 19:32:24 GMT

If your problem is resolved, please accept the answer to help future readers.

Re: Pulling 1-day old records

vnguyen46 — Wed, 04 Sep 2019 19:34:06 GMT

thank you.