https://community.splunk.com/t5/Splunk-Search/How-to-search-from-custom-time-field/m-p/601155#M209230 <P>Thanks you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/211432">@jamie00171</a>,</P><P>I tried your solution with below query, I think am getting expected results. Thanks agian!</P><P>| eval etime=(strftime(strptime(last_found,"%Y-%m-%dT%H:%M:%S.%Q%Z"),"%s"))<BR />| eval seven_days_ago=relative_time(now(), "-7d")<BR />| where etime &gt; seven_days_ago</P> Thu, 09 Jun 2022 09:22:01 GMT kpavan 2022-06-09T09:22:01Z https://community.splunk.com/t5/Splunk-Search/How-to-search-from-custom-time-field/m-p/601054#M209207 <P>Hi All,</P> <P>I have logs which is from db_inputs/custom_script where owner not indexing custom time field as _time and they are importing all data every day without incremental.&nbsp;</P> <P>So i need to find assets which is last 7days with custom time field</P> <P>custom time field is last_found,</P> <P><A href="https://internal.paypalinc.com/splunkgp/en-US/app/search-securityreporting/search?q=search%20index%3Dpp_security_tenable_automation%20sourcetype%3D%22tenable%3Aio%3Aassets%22%20%0A%7C%20eval%20filterdate%3D(strftime(strptime(last_found%2C%22%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25Z%22)%2C%22%25Y-%25m-%25d%20%25H%3A%25M%3A%25S%22))&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;earliest=-7d%40h&amp;latest=now&amp;display.page.search.tab=events&amp;display.general.type=events&amp;sid=1654705009.45373_15AEB5F8-BC76-42D8-BE8F-54512BD1CF43#" target="_blank" rel="noopener">2020-07-06T17:42:29.322Z</A></P> <P><A href="https://internal.paypalinc.com/splunkgp/en-US/app/search-securityreporting/search?q=search%20index%3Dpp_security_tenable_automation%20sourcetype%3D%22tenable%3Aio%3Aassets%22%20%0A%7C%20eval%20filterdate%3D(strftime(strptime(last_found%2C%22%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25Z%22)%2C%22%25Y-%25m-%25d%20%25H%3A%25M%3A%25S%22))&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;earliest=-7d%40h&amp;latest=now&amp;display.page.search.tab=events&amp;display.general.type=events&amp;sid=1654705009.45373_15AEB5F8-BC76-42D8-BE8F-54512BD1CF43#" target="_blank" rel="noopener">2020-01-06T17:42:29.322Z</A></P> <P><A href="https://internal.paypalinc.com/splunkgp/en-US/app/search-securityreporting/search?q=search%20index%3Dpp_security_tenable_automation%20sourcetype%3D%22tenable%3Aio%3Aassets%22%20%0A%7C%20eval%20filterdate%3D(strftime(strptime(last_found%2C%22%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25Z%22)%2C%22%25Y-%25m-%25d%20%25H%3A%25M%3A%25S%22))&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;earliest=-7d%40h&amp;latest=now&amp;display.page.search.tab=events&amp;display.general.type=events&amp;sid=1654705009.45373_15AEB5F8-BC76-42D8-BE8F-54512BD1CF43#" target="_blank" rel="noopener">2020-01-05T17:42:29.322Z</A></P> <P><A href="https://internal.paypalinc.com/splunkgp/en-US/app/search-securityreporting/search?q=search%20index%3Dpp_security_tenable_automation%20sourcetype%3D%22tenable%3Aio%3Aassets%22%20%0A%7C%20eval%20filterdate%3D(strftime(strptime(last_found%2C%22%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25Z%22)%2C%22%25Y-%25m-%25d%20%25H%3A%25M%3A%25S%22))&amp;display.page.search.mode=verbose&amp;dispatch.sample_ratio=1&amp;earliest=-7d%40h&amp;latest=now&amp;display.page.search.tab=events&amp;display.general.type=events&amp;sid=1654705009.45373_15AEB5F8-BC76-42D8-BE8F-54512BD1CF43#" target="_blank" rel="noopener">2020-01-04T17:42:29.322Z</A></P> <P>from these date&amp;time how can i search assets which is only last 7days from last_found custom time field. Please help on the query that would be great help.</P> <P>&nbsp;</P> <P>Thanks!</P> Wed, 08 Jun 2022 16:39:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-from-custom-time-field/m-p/601054#M209207 kpavan 2022-06-08T16:39:46Z https://community.splunk.com/t5/Splunk-Search/How-to-search-from-custom-time-field/m-p/601058#M209209 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49826">@kpavan</a>&nbsp;,</P><P>You could use strptime to convert last_found to an epoch timestamp:&nbsp;<A href="https://docs.splunk.com/Documentation/SCS/current/SearchReference/DateandTimeFunctions#strptime" target="_blank">https://docs.splunk.com/Documentation/SCS/current/SearchReference/DateandTimeFunctions#strptime</A></P><P>Then do something like:&nbsp;</P><P><SPAN>| eval seven_days_ago=relative_time(now(), "-7d")</SPAN></P><P>Then search for events where last_found &gt; seven_days_ago</P><P>Thanks,</P><P>Jamie</P> Wed, 08 Jun 2022 17:15:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-from-custom-time-field/m-p/601058#M209209 jamie00171 2022-06-08T17:15:21Z https://community.splunk.com/t5/Splunk-Search/How-to-search-from-custom-time-field/m-p/601155#M209230 <P>Thanks you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/211432">@jamie00171</a>,</P><P>I tried your solution with below query, I think am getting expected results. Thanks agian!</P><P>| eval etime=(strftime(strptime(last_found,"%Y-%m-%dT%H:%M:%S.%Q%Z"),"%s"))<BR />| eval seven_days_ago=relative_time(now(), "-7d")<BR />| where etime &gt; seven_days_ago</P> Thu, 09 Jun 2022 09:22:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-from-custom-time-field/m-p/601155#M209230 kpavan 2022-06-09T09:22:01Z