topic Re: Events older then 30 days in Splunk Search

Events older then 30 days

DTERM — Mon, 25 Jun 2012 18:56:19 GMT

The following is a sample entry from a splunk index...

lastOccurrence=2012-06-25 18:42:38.0|firstOccurrence=2012-06-18 14:45:59.0|writeTime=2012/06/25 18:40:55|actionCode=U|actionTime=2012-06-25 18:42:39.0|serverName=SERVER1|serverSerial=300998|identifier=10.169.255.trap61 server1.mydomain.com Host State - UP/DOWN|severity=0|alertText=PING OK - Packet loss = 0%, RTA = 0.03 ms|businessUnit=HQ|cmName=server.mydomain.com|deletedBy=|dmName=None|hostGroup=|msgSrc=Nagios|nagios_duration=0d 0h 0m 0s|netcool_duration=|productName=PRIMARY SERVICES|serviceName=Host State - UP/DOWN|supportGroup=SYSADMIN|tally=8200|tgtHostname=server1.mydomin.com|ticketNumber=

How can I extract events that are older then 30 days based on the lastOccurance field. Note the format of the field, I'm not concerned with the hours, minutes, or seconds.

Thanks in advance.

Re: Events older then 30 days

Ayn — Mon, 25 Jun 2012 19:09:10 GMT

Isn't the lastOccurrence field already extracted as the timestamp Splunk uses itself?

Re: Events older then 30 days

lguinn2 — Mon, 25 Jun 2012 23:20:16 GMT

I agree with Ayn - you might be able to search based on the splunk timestamp; the search would look like

source=yourfilename latest=-30d@d earliest=0

But, if you really want to search based on the lastOccurance field:

lastOccurence=*
| eval testDate=strptime(lastOccurence,"%Y-%m-%d")
| where testDate < relative_time(now(),"-30d@d")

Duh - I cannot type sometimes. It is probably the spelling.

Re: Events older then 30 days

DTERM — Wed, 27 Jun 2012 15:05:39 GMT

That does not work. Not sure why, but it does not work.

Re: Events older then 30 days

Ayn — Wed, 27 Jun 2012 15:17:01 GMT

Make sure that the spelling of "lastOccurrence" is correct in your search command.

Re: Events older then 30 days

lguinn2 — Wed, 27 Jun 2012 15:24:25 GMT

Does it give you any data? What do you get if you run this instead?

lastOccurence=*
| eval testDate=strptime(lastOccurence,"%Y-%m-%d")
| eval lastMo = relative_time(now(),"-30d@d")
| where testDate < lastMo
| table testDate lastMo lastOccurence

(And you might have to leave off the where command if you aren't getting any data)
- Updated for spelling -

Re: Events older then 30 days

ecanmaster — Fri, 22 Dec 2017 11:24:03 GMT

this one works, thx !!

Re: Events older then 30 days

meganarellano — Wed, 09 May 2018 18:05:37 GMT

I had to add an additional eval to get mine to work but this is the answer I've been searching for for a while. Thank you!

|eval test=relative_time(now(),"-90d@d")
|eval test2=strftime(test,"%Y-%m-%d")
|where StartDate > test2