topic Re: Display events when current date is &gt;= 30 days from expiration date in Splunk Search https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249881#M74579 <P>Even if I assume it is in milliseconds, this converts to Thu, 31 Jan 2019 05:00:00 GMT!</P> Tue, 01 Dec 2015 14:34:53 GMT woodcock 2015-12-01T14:34:53Z Display events when current date is >= 30 days from expiration date https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249874#M74572 <P>Spent all day trying to figure this out. The events I'm working with contain a field with an expiration date in Unix epoch time. I'm trying to bring up a table of events when current date is &gt;= 30days before the expiration date. Combed through documentation and Splunk Answers no luck. Thanks in advance.</P> <P>Example data:</P> <PRE><CODE>expiration_date=1548910800000 </CODE></PRE> Tue, 24 Nov 2015 18:41:55 GMT https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249874#M74572 jsven7 2015-11-24T18:41:55Z Re: Display events when current date is >= 30 days from expiration date https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249875#M74573 <P>See if this gives you some ideas...</P> <P><CODE>| eval dexpire=1548910800 | eval dback30=relative_time(ed, "-30d@d" ) | eval dnow=now() | table dexpire dback30 dnow | foreach d* [eval &lt;&gt;=strftime(&lt;&gt;, "%c")] | eval older=if(dnow&gt;=dback30, "Y", "N")</CODE> </P> Tue, 24 Nov 2015 19:03:29 GMT https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249875#M74573 sundareshr 2015-11-24T19:03:29Z Re: Display events when current date is >= 30 days from expiration date https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249876#M74574 <P>Like this:</P> <PRE><CODE>... | eval deltaDays = (now() - expiration_date)/86400 | where deltaDays&gt;=30 </CODE></PRE> Tue, 24 Nov 2015 19:41:34 GMT https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249876#M74574 woodcock 2015-11-24T19:41:34Z Re: Display events when current date is >= 30 days from expiration date https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249877#M74575 <P>Meant to write '&lt;' instead of '&gt;'. Its not giving events where now() is &lt;= 30days of expiration_date</P> <P><CODE>mysearch...<BR /> |eval now=now()<BR /> | eval deltaDays = (now() - expiration_date)/86400 <BR /> | where deltaDays&lt;=30<BR /> | table loginuid, token_serial, now, expiration_date</CODE></P> Tue, 24 Nov 2015 20:29:06 GMT https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249877#M74575 jsven7 2015-11-24T20:29:06Z Re: Display events when current date is >= 30 days from expiration date https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249878#M74576 <P>So did this work for you?</P> Tue, 24 Nov 2015 20:58:37 GMT https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249878#M74576 woodcock 2015-11-24T20:58:37Z Re: Display events when current date is >= 30 days from expiration date https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249879#M74577 <P>Sorry for late response was out for Thanksgiving. Hope you enjoyed yours! </P> <P>I'm trying to test with this:</P> <P><CODE>my search | eval deltaDays = (now() - expiration_date)/86400 | where deltaDays&lt;=30 | eval expiration_date=expiration_date/1000 | eval Expiration_date=strftime(expiration_date,"%m/%d/%Y") | table loginuid, token_serial, Expiration_date</CODE></P> <P>I expect to see events where the <CODE>Expiration_date</CODE> field is &lt;= 30 days from <CODE>now()</CODE> but this is not the case. Am I using the where command correctly?</P> Mon, 30 Nov 2015 13:04:32 GMT https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249879#M74577 jsven7 2015-11-30T13:04:32Z Re: Display events when current date is >= 30 days from expiration date https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249880#M74578 <P>I did not look closely at your sample data and there is a problem there. It is neither in epoch, nor in any encoding that I can discern. If you can convert this to epoch, then my solution will work for you.</P> Tue, 01 Dec 2015 14:32:58 GMT https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249880#M74578 woodcock 2015-12-01T14:32:58Z Re: Display events when current date is >= 30 days from expiration date https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249881#M74579 <P>Even if I assume it is in milliseconds, this converts to Thu, 31 Jan 2019 05:00:00 GMT!</P> Tue, 01 Dec 2015 14:34:53 GMT https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249881#M74579 woodcock 2015-12-01T14:34:53Z