https://community.splunk.com/t5/Splunk-Search/Extract-data-between-multiple-days/m-p/484851#M135723 <P>Perhaps this will get you started. It produces a 'period' field that you should be able to use for other purposes.</P> <PRE><CODE>index=foo earliest=-720d latest=now | eval epoch = strptime (acd_date, "&lt;format of the acd_date field&gt;") | eval period = case(epoch &lt; relative_time(now(), "-32d"), "1-32", epoch &lt; relative_time(now(), "-42d"), "&gt;32", epoch &lt; relative_time(now(), "-72d"), "&gt;42", epoch &lt; relative_time(now(), "-365d"), "&lt;365", 1==1, "&lt;720") | ... </CODE></PRE> Wed, 29 Apr 2020 20:38:18 GMT richgalloway 2020-04-29T20:38:18Z https://community.splunk.com/t5/Splunk-Search/Extract-data-between-multiple-days/m-p/484850#M135722 <P>Hi Guys,</P> <P>I am just trying to write a spluNk query to extract data between 1-32 days , &gt;32 days , &gt; 42 days , &gt; 72 days , &lt; 365 days and &lt; 720 days</P> <P>I tried multiple queries and I believe it's possible with the case statement . Kindly suggest on this. </P> <P>Note : I just have one custom field acd_date which I should use in my case statement.</P> <P>Thanks in advance</P> Wed, 29 Apr 2020 20:18:47 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-between-multiple-days/m-p/484850#M135722 Inayath_khan 2020-04-29T20:18:47Z https://community.splunk.com/t5/Splunk-Search/Extract-data-between-multiple-days/m-p/484851#M135723 <P>Perhaps this will get you started. It produces a 'period' field that you should be able to use for other purposes.</P> <PRE><CODE>index=foo earliest=-720d latest=now | eval epoch = strptime (acd_date, "&lt;format of the acd_date field&gt;") | eval period = case(epoch &lt; relative_time(now(), "-32d"), "1-32", epoch &lt; relative_time(now(), "-42d"), "&gt;32", epoch &lt; relative_time(now(), "-72d"), "&gt;42", epoch &lt; relative_time(now(), "-365d"), "&lt;365", 1==1, "&lt;720") | ... </CODE></PRE> Wed, 29 Apr 2020 20:38:18 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-between-multiple-days/m-p/484851#M135723 richgalloway 2020-04-29T20:38:18Z https://community.splunk.com/t5/Splunk-Search/Extract-data-between-multiple-days/m-p/484852#M135724 <PRE><CODE>| makeresults count=2 | streamstats count | eval _time=if(count=2,relative_time(_time,(-1*count)."y@y"),_time) | makecontinuous span=1d _time | timechart count span=1d | eval diff=tostring(now() - _time,"duration") | rex field=diff "(?&lt;daysAgo&gt;\d+)\+" | fillnull daysAgo | eval acd_date=case(daysAgo &lt;= 32 ,"less32days" , daysAgo &lt;= 42, "less42days", daysAgo &lt;= 72,"less72days" , daysAgo &lt;= 365,"less1year", daysAgo &lt;= 720,"less2years",true(), "over2years") | dedup acd_date </CODE></PRE> <P>It's all about order.</P> Wed, 29 Apr 2020 20:54:50 GMT https://community.splunk.com/t5/Splunk-Search/Extract-data-between-multiple-days/m-p/484852#M135724 to4kawa 2020-04-29T20:54:50Z