I am trying to specify a search where it looks at the newly extracted field newdatefield and validate if it fall within last 7 days. Can any one please help, thanks.
Here is the search i have so far:
index=application sourcetype=twoapp "0|1" earliest = -7d latest=now
| eval newdatefield=strftime( strptime( pwd_changedate, "%Y-%m-%d %H:%M:%S"), "%m/%d/%Y %I:%M:%S %p")
| eval SevenDaysBack = relative_time(now(), "-7d@d")
| eval SevenDaysBack = strftime(SevenDaysBack ,"%m/%d/%Y %I:%M:%S %p")
| where newdatefield > SevenDaysBack | table newdatefield, SevenDaysBack
This converts and outputs the field from string to time format and gives me a baseline date. But I am stuck at validating if the date falls within last 7 days. I used splunk.answers to get the above query but somehow I'm not able to move any further.
Current Output:
newdatefield SevenDaysBack
06/02/2015 02:26:18 PM 05/27/2015 12:00:00 AM
06/02/2015 10:11:15 AM 05/27/2015 12:00:00 AM
08/16/2005 12:00:00 AM 05/27/2015 12:00:00 AM
06/02/2015 02:19:28 PM 05/27/2015 12:00:00 AM
Expected Output:
newdatefield SevenDaysBack
06/02/2015 02:26:18 PM 05/27/2015 12:00:00 AM
06/02/2015 10:11:15 AM 05/27/2015 12:00:00 AM
06/02/2015 02:19:28 PM 05/27/2015 12:00:00 AM
-S.Ali
When comparing timestamps it's best to use epoch form rather than string form. Try this:
index=application sourcetype=twoapp "0|1" earliest = -7d latest=now
| eval newdatefield= strptime( pwd_changedate, "%Y-%m-%d %H:%M:%S")
| eval SevenDaysBack = relative_time(now(), "-7d@d")
| where newdatefield > SevenDaysBack
| eval newdatefield = strftime(newdatefield, "%m/%d/%Y %I:%M:%S %p")
| eval SevenDaysBack = strftime(SevenDaysBack ,"%m/%d/%Y %I:%M:%S %p")
| table newdatefield, SevenDaysBack
When comparing timestamps it's best to use epoch form rather than string form. Try this:
index=application sourcetype=twoapp "0|1" earliest = -7d latest=now
| eval newdatefield= strptime( pwd_changedate, "%Y-%m-%d %H:%M:%S")
| eval SevenDaysBack = relative_time(now(), "-7d@d")
| where newdatefield > SevenDaysBack
| eval newdatefield = strftime(newdatefield, "%m/%d/%Y %I:%M:%S %p")
| eval SevenDaysBack = strftime(SevenDaysBack ,"%m/%d/%Y %I:%M:%S %p")
| table newdatefield, SevenDaysBack
Thanks.
Didn't think of that approach. Appreciate your help. 🙂
Hello!
I do not see the difference betwen your Current Output and your Expected Output. Can you be more specific?