https://community.splunk.com/t5/Splunk-Search/Using-non-timestamp-field-to-produce-search-for-yesterday/m-p/304860#M164767 <P>Try something like this</P> <PRE><CODE>index=foo sourcetype=bar... (your base search)... [| gentimes start=-1 | eval "Closed date"=strftime(relative_time(now(),"-1d@d"),"%Y/%m/%d") | table "Closed date" ] |...rest of the search </CODE></PRE> <P>The subsearch would return yesterday's date in same format as field "Closed date" to filter records. Please ensure that the time range (which only works on _time) is selected in way that it includes all the data that may have "Closed date" of yesterday.</P> Mon, 27 Nov 2017 16:04:48 GMT somesoni2 2017-11-27T16:04:48Z https://community.splunk.com/t5/Splunk-Search/Using-non-timestamp-field-to-produce-search-for-yesterday/m-p/304859#M164766 <P>I have a date field called "Closed date" in following format "%Y/%m/%d" that IS NOT my timestamp field &amp; want to create a daily scheduled report that only returns data for "Closed date"=previous day. I've tried a eventstats max(closed date) formula but this trips up as on a rare occasion there will be a close date of today. </P> <P>Any suggestions??</P> Mon, 27 Nov 2017 15:58:24 GMT https://community.splunk.com/t5/Splunk-Search/Using-non-timestamp-field-to-produce-search-for-yesterday/m-p/304859#M164766 jackreeves 2017-11-27T15:58:24Z https://community.splunk.com/t5/Splunk-Search/Using-non-timestamp-field-to-produce-search-for-yesterday/m-p/304860#M164767 <P>Try something like this</P> <PRE><CODE>index=foo sourcetype=bar... (your base search)... [| gentimes start=-1 | eval "Closed date"=strftime(relative_time(now(),"-1d@d"),"%Y/%m/%d") | table "Closed date" ] |...rest of the search </CODE></PRE> <P>The subsearch would return yesterday's date in same format as field "Closed date" to filter records. Please ensure that the time range (which only works on _time) is selected in way that it includes all the data that may have "Closed date" of yesterday.</P> Mon, 27 Nov 2017 16:04:48 GMT https://community.splunk.com/t5/Splunk-Search/Using-non-timestamp-field-to-produce-search-for-yesterday/m-p/304860#M164767 somesoni2 2017-11-27T16:04:48Z https://community.splunk.com/t5/Splunk-Search/Using-non-timestamp-field-to-produce-search-for-yesterday/m-p/304861#M164768 <P>That has worked like a charm! Thank you so much. I've never come across the gentimes function before</P> Mon, 27 Nov 2017 16:17:29 GMT https://community.splunk.com/t5/Splunk-Search/Using-non-timestamp-field-to-produce-search-for-yesterday/m-p/304861#M164768 jackreeves 2017-11-27T16:17:29Z https://community.splunk.com/t5/Splunk-Search/Using-non-timestamp-field-to-produce-search-for-yesterday/m-p/304862#M164769 <P>I'm using gentimes command to just generate a single row where I can set "Closed date" and return it's value. A more appropriate command for this, for version 6.3+, is <CODE>| makeresults</CODE>. (Replacing <CODE>| gentimes start=-1</CODE> with <CODE>|makeresults</CODE> in above search).</P> Mon, 27 Nov 2017 16:30:36 GMT https://community.splunk.com/t5/Splunk-Search/Using-non-timestamp-field-to-produce-search-for-yesterday/m-p/304862#M164769 somesoni2 2017-11-27T16:30:36Z https://community.splunk.com/t5/Splunk-Search/Using-non-timestamp-field-to-produce-search-for-yesterday/m-p/304863#M164770 <P>Thanks, updated search accordingly. Is there any documentation on these functions, would like to understand more?</P> Mon, 27 Nov 2017 16:38:00 GMT https://community.splunk.com/t5/Splunk-Search/Using-non-timestamp-field-to-produce-search-for-yesterday/m-p/304863#M164770 jackreeves 2017-11-27T16:38:00Z https://community.splunk.com/t5/Splunk-Search/Using-non-timestamp-field-to-produce-search-for-yesterday/m-p/304864#M164771 <P>Absolutely. Here is the documentation for makeresults specifically. You can find all other search command in the left side tree view.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Makeresults">https://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Makeresults</A></P> Mon, 27 Nov 2017 16:49:11 GMT https://community.splunk.com/t5/Splunk-Search/Using-non-timestamp-field-to-produce-search-for-yesterday/m-p/304864#M164771 somesoni2 2017-11-27T16:49:11Z