topic Re: How do I search records for today and 120 days back? in Splunk Search

How do I search records for today and 120 days back?

tferranteku — Wed, 30 Sep 2020 05:11:27 GMT

sort -date | dedup Date_Month_Year | where Date>1575183600

I need this query to run only for the past 120 days from today. I can put in the date manually as above, but need this to be more automated so anyone can run this query and get results for the current to 120 day range.

I have the following fields:
Date Date_Friendly Date_Month_Year Host_Count
15786200 01/01/2020 January 2020 1234

I have tried 2 things and neither works.

where (strptime(Date, "%m/%d/%Y")>=strptime("4/2/2018", "%m/%d/%Y")) AND (strptime(Date, "%m/%d/%Y")>=strptime("4/10/2018", "%m/%d/%Y"))

| eval Date="1/1/2020" 
| eval timestampDate=strptime(Date, "%m/%d/%Y")  
| eval timestampStart=strptime("1/1/2020", "%m/%d/%Y") 
| eval timestampEnd=strptime("5/1/2020", "%m/%d/%Y") 
| eval formattedTimestamp = strftime(timestamp,"%Y-%m-%dT%H:%M:%S") 
| where timestampDate >= timestampStart AND timestampDate <= timestampEnd

Re: How do I search records for today and 120 days back?

tauliang — Thu, 30 Apr 2020 22:13:11 GMT

Assuming your events have _time in them, besides the fields you already have, can you try this really quick?

... <whatever searches you have>
earliest =-120d@d

earliest="01/01/2020:00:00:00" 
latest="05/01/2020:00:00:00"

Either should work.

Re: How do I search records for today and 120 days back?

richgalloway — Fri, 01 May 2020 12:51:14 GMT

Try relative_time. It computes a new timestamp based on an existing time and a modifier string.

where (strptime(Date, "%m/%d/%Y")>=relative_time(now(), "-120d"))

Re: How do I search records for today and 120 days back?

tferranteku — Fri, 01 May 2020 14:15:58 GMT

I am getting Unknown search command 'earliest'

Re: How do I search records for today and 120 days back?

tferranteku — Fri, 01 May 2020 14:19:41 GMT

Received the following error:
Error in 'where' command: The expression is malformed. Expected).

Re: How do I search records for today and 120 days back?

richgalloway — Fri, 01 May 2020 15:40:43 GMT

So add the missing ). See the updated answer.

Re: How do I search records for today and 120 days back?

tferranteku — Wed, 30 Sep 2020 05:17:03 GMT

You are correct that I was missing the ) -- but now i get No results found.

This is what i have so far that works but I need to simplify:

sort -date | dedup Date_Month_Year | where Date_Friendly="05/01/2020" or Date_Friendly="04/01/2020" or Date_Friendly="03/01/2020"

Re: How do I search records for today and 120 days back?

richgalloway — Fri, 01 May 2020 16:50:28 GMT

Now I'm lost. That last query seems to do something very different from the "120 days ago" in the original question.

Re: How do I search records for today and 120 days back?

tferranteku — Wed, 30 Sep 2020 05:17:06 GMT

I worked out my answer:

dedup Date_Month_Year _ | Sort Date | eval Range=now() | eval StartRange=(Range-10518972) | where Date>StartRange