https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611937#M212759 <P>The dedup will mean you will only get one result per agentComputerName - if you want the other dates, you should&nbsp;</P><LI-CODE lang="markup">| dedup agentComputerName installedAt</LI-CODE> Mon, 05 Sep 2022 11:18:16 GMT ITWhisperer 2022-09-05T11:18:16Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611911#M212741 <P>I have <STRONG>installedAt</STRONG> field which gives the application's installation time.</P> <P>If I run a Splunk search for the last 7 days it shows the application installed at different times.</P> <P>So I want the query to find the applications installed in the last 7 days.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alexspunkshell_1-1662371661439.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/21310i38568AA254F615C6/image-size/medium?v=v2&amp;px=400" role="button" title="alexspunkshell_1-1662371661439.png" alt="alexspunkshell_1-1662371661439.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 05 Sep 2022 22:03:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611911#M212741 alexspunkshell 2022-09-05T22:03:27Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611917#M212744 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/126376">@alexspunkshell</a>,</P><P>you could run a search like the following:</P><LI-CODE lang="markup">&lt;your_search&gt; | eval duration=tostring(now()-strptime(InstalledAt,"%Y-%m-%dT%H:%M:%S.%6N"),"duration") | table _time InstalledAt duration</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Mon, 05 Sep 2022 10:10:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611917#M212744 gcusello 2022-09-05T10:10:06Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611927#M212751 <P>You appear to have two different time formats in use - try something like this</P><LI-CODE lang="markup">| where now()-coalesce(strptime(installedAt,"%Y-%m-%dT%H:%M:%S.%6N%Z"),strptime(installedAt,"%Y-%m-%dT%H:%M:%S%Z")) &lt; (60*60*24*7)</LI-CODE> Mon, 05 Sep 2022 10:36:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611927#M212751 ITWhisperer 2022-09-05T10:36:40Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611928#M212752 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;Tried using the queries. But no results.</P> Mon, 05 Sep 2022 10:40:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611928#M212752 alexspunkshell 2022-09-05T10:40:55Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611930#M212754 <P>Given that your example times are 4-5 years ago, could it be that you haven't had any installs in the last 7 days?</P> Mon, 05 Sep 2022 10:45:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611930#M212754 ITWhisperer 2022-09-05T10:45:12Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611931#M212755 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/126376">@alexspunkshell</a>,</P><P>there are two choices:</P><UL><LI>as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;said, there isn't any event,</LI><LI>check how it's written installedAt field name: field names are case sensitive.</LI></UL><P>Ciao.</P><P>Giuseppe</P> Mon, 05 Sep 2022 10:48:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611931#M212755 gcusello 2022-09-05T10:48:13Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611934#M212757 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp; I have new installs but the query is updating the latest time to all results and showing all the results. Here I need the installation that occurred over the past 7 days.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alexspunkshell_0-1662374944691.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/21315i635968D4DBD39F6F/image-size/medium?v=v2&amp;px=400" role="button" title="alexspunkshell_0-1662374944691.png" alt="alexspunkshell_0-1662374944691.png" /></span></P><P>&nbsp;</P> Mon, 05 Sep 2022 10:50:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611934#M212757 alexspunkshell 2022-09-05T10:50:36Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611937#M212759 <P>The dedup will mean you will only get one result per agentComputerName - if you want the other dates, you should&nbsp;</P><LI-CODE lang="markup">| dedup agentComputerName installedAt</LI-CODE> Mon, 05 Sep 2022 11:18:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611937#M212759 ITWhisperer 2022-09-05T11:18:16Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611946#M212762 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><P>Though I gave <STRONG>| search duration &lt;7+&nbsp;</STRONG>condition, I am getting results other results. How to exclude the results within 7 days.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alexspunkshell_0-1662378568846.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/21316iF2AD95D8D0CE43F4/image-size/medium?v=v2&amp;px=400" role="button" title="alexspunkshell_0-1662378568846.png" alt="alexspunkshell_0-1662378568846.png" /></span></P><P>&nbsp;</P> Mon, 05 Sep 2022 11:52:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611946#M212762 alexspunkshell 2022-09-05T11:52:48Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611952#M212767 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/126376">@alexspunkshell</a>,</P><P>add, at the end of the search, a condition that excludes durations less than 7 days (604,800 seconds):</P><LI-CODE lang="markup">&lt;your_search&gt; | eval duration=now()-strptime(InstalledAt,"%Y-%m-%dT%H:%M:%S.%6N") | where duration&gt;604800 | eval duration=tostring(duration,"duration") | table _time InstalledAt duration</LI-CODE><P>&nbsp;Ciao.</P><P>Giuseppe</P> Mon, 05 Sep 2022 12:19:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-the-time-difference-between-last-event-and-now/m-p/611952#M212767 gcusello 2022-09-05T12:19:07Z