topic filter time for specific range in Splunk Search

filter time for specific range

neethan — Mon, 03 Jan 2022 12:54:18 GMT

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") |
| bin _time span=1d

here _ time is giving complete data, i want to filter it for one month i.e.. 30days. I tried relative_time, but its giving only for specific day

Re: filter time for specific range

richgalloway — Mon, 03 Jan 2022 14:39:11 GMT

Please tell us more about your use case and what you've tried so far. When do the 30 days begin and end? Is opened_time the start or end of the month? What did you try with relative_time?

Re: filter time for specific range

neethan — Mon, 03 Jan 2022 15:08:08 GMT

I am getting data like this, but i want data only for previous 30days

_time false true

1	2021/07/21	1	0
2	2021/10/04	1	0
3	2021/10/14	2	0
4	2021/11/04

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") |eval _time = if(_time<relative_time(now(),"-3d@d") AND _time>relative_time(now(),"-30d@d"))
| bin _time span=1d /// this errors

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") |eval _time<relative_time(now(),"-3d@d") /// this gives data for that particular day i.e. Dec 31st data

Re: filter time for specific range

richgalloway — Mon, 03 Jan 2022 18:43:34 GMT

You were close! The eval command assigns a value to a field. To filter events based on field values, use the where command.

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") | where (_time<relative_time(now(),"-3d@d") AND _time>relative_time(now(),"-30d@d")) | bin _time span=1d

Re: filter time for specific range

neethan — Tue, 04 Jan 2022 06:24:47 GMT

here _time> condition will print sep, oct,nov values as well, but my requirement is to print only previous months

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") | where (_time<relative_time(now(),"-3d@d") AND _time>relative_time(now(),"-30d@d")) | bin _time span=1d

Re: filter time for specific range

neethan — Tue, 04 Jan 2022 07:02:41 GMT

here _time> condition will print sep, oct,nov values as well, but my requirement is to print only previous months

| savedsearch cbp_inc_base 
| eval _time=strftime(opened_time, "%Y/%m/%d") 
| where (_time<relative_time(now(),"-3d@d") AND _time>relative_time(now(),"-30d@d"))
| bin _time span=1d

Re: filter time for specific range

isoutamo — Tue, 04 Jan 2022 08:30:52 GMT

you should replace where with this

| where (_time <= relative_time(now(),"@mon")) AND (_time >= relative_time(now(),"-1mon@mon"))

Of course it will be best if you can add this already on search from index phase as earliest=.... AND latest=... that was the most efficient way to do the query.

r. Ismo

And just like @ITWhisperer said, don't convert _time. Splunk UI will do that conversion when needed automatic. So just drop that eval _time = strftime... from there.

Re: filter time for specific range

ITWhisperer — Tue, 04 Jan 2022 08:25:55 GMT

Why are you converting _time to a string (strftime) then comparing to a numeric value (relative_time)? Try doing your comparisons before you convert _time to a string.

Re: filter time for specific range

neethan — Tue, 04 Jan 2022 10:24:46 GMT

the query you ave given is not working.

I did include earliest in my base search, but still it gives old data. Not sure from where its picking

index="ab" source_name=xy platformName=REDHAT earliest=-24h
| table hostName, source_name, hasAppBlueprints | rename hostName as hostname
| join type=inner max=0 hostname [ search
index=abc source_name=xyz earliest=-21d | dedup incident_number
| rex field=transfer_description "found as (?<correct_host>[a-zA-Z0-9\-]+) "
| rename configuration_item as hostname
| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| table hostname, alert_id, incident_number, correct_host, opened_time
| eval hostname=case(match(hostname, ".* .*"), correct_host, 1==1, hostname) ]
| table hostname, alert_id, incident_number, source_name, opened_time, hasAppBlueprints

Re: filter time for specific range

neethan — Wed, 05 Jan 2022 13:11:29 GMT

the query you ave given is not working.

I did include earliest in my base search, but still it gives old data. Not sure from where its picking

Re: filter time for specific range

neethan — Wed, 05 Jan 2022 13:21:20 GMT

Thanks for all your help, i modified base search as below and it worked

| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| where (opened_time <= relative_time(now(),"@d")) AND (opened_time >= relative_time(now(),"-30d@d"))