https://community.splunk.com/t5/Splunk-Search/Help-searching-dataset-with-a-date-field/m-p/576384#M200877 <P>Thanks. Had I been wrtiting this on my computer I'd surely check the timespecs. But in the morning I usually answer on my tablet while walking the dog <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 26 Nov 2021 07:05:28 GMT PickleRick 2021-11-26T07:05:28Z https://community.splunk.com/t5/Splunk-Search/Help-searching-dataset-with-a-date-field/m-p/576371#M200873 <P>Hi I'm looking to search a dataset to returns entries from yesterday's date based off a date field which has been converted as such (from another job):&nbsp; | eval event_time = now() | convert ctime(event_time)&nbsp;</P><P>The value is stored as&nbsp;11/24/2021 22:28</P><P>Please assist how to search and return this value using a yesterday variable?</P><P>I hope that makes sense, forgive me I'm still learning.</P><P>&nbsp;</P><P>To illustrate,&nbsp; manually entering eventDate="11/24" works, but not sure how to get a 'yesterday' to work with the dataset.</P><P>| inputlookup thisDataset.csv | search eventDate="11/24*"<BR />| sort Brand, eventDate<BR />| iplocation clientip<BR />| table _time Brand clientip City Region count eventDate</P> Fri, 26 Nov 2021 03:51:26 GMT https://community.splunk.com/t5/Splunk-Search/Help-searching-dataset-with-a-date-field/m-p/576371#M200873 solaced 2021-11-26T03:51:26Z https://community.splunk.com/t5/Splunk-Search/Help-searching-dataset-with-a-date-field/m-p/576374#M200874 <P>In such case it makes sense to use a subquery. For example:</P><PRE>| inoutlookup your.csv | search <BR /> [ | makeresults <BR /> | eval d=now()-86400<BR /> | eval eventDate=strftime("%i %never %remember %these",d)<BR /> | fields eventDate ]</PRE><P>&nbsp;</P> Fri, 26 Nov 2021 05:08:46 GMT https://community.splunk.com/t5/Splunk-Search/Help-searching-dataset-with-a-date-field/m-p/576374#M200874 PickleRick 2021-11-26T05:08:46Z https://community.splunk.com/t5/Splunk-Search/Help-searching-dataset-with-a-date-field/m-p/576383#M200876 <P>Here</P><P>&nbsp;</P><LI-CODE lang="markup">| eval eventDate=strftime(d, "%d/%m/%Y")</LI-CODE><P>&nbsp;</P><P>If needed you can concatenate * to end of the string.</P><P>And bookmark to that page</P><P><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables</A>&nbsp;</P><P>Another link to commands</P><P><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands</A></P><P>&nbsp;</P> Fri, 26 Nov 2021 06:59:41 GMT https://community.splunk.com/t5/Splunk-Search/Help-searching-dataset-with-a-date-field/m-p/576383#M200876 isoutamo 2021-11-26T06:59:41Z https://community.splunk.com/t5/Splunk-Search/Help-searching-dataset-with-a-date-field/m-p/576384#M200877 <P>Thanks. Had I been wrtiting this on my computer I'd surely check the timespecs. But in the morning I usually answer on my tablet while walking the dog <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 26 Nov 2021 07:05:28 GMT https://community.splunk.com/t5/Splunk-Search/Help-searching-dataset-with-a-date-field/m-p/576384#M200877 PickleRick 2021-11-26T07:05:28Z