Archive

Filter by time where date is in seperate field

user93
Path Finder

I need some help to filter by time, but the time field is not the internal Splunk time field. Instead, it is a date field from a lookup spreadsheet that corresponds to the objects file creation.

I want to be able to filter on objects that are created only in the previous month.

The format of the lookup date field is like this:

Created=8/26/2019 17:01

Tags (2)
0 Karma

eduardKiyko
Explorer

You can create _time field right in search query, like this:


| eval _time=strptime(Created,"%Y-%m-%d %H:%M:%S")

0 Karma