Dashboards & Visualizations

How to filter Splunk field results by time?

tayvionp
Explorer

I'm currently building a query that will pull data from today to April 26th, 

the field value contains the following time format 

 

 

termination_initiated (field value name)
2022-05-02T11:47:01.011-07:00
2022-05-02T11:42:10.820-07:00

 

 

 I'm currently trying to convert is so that i can only get results between today and April 26th.

I've tried this piece of code with no luck

 

 

| eval terminiation_started=strptime(termination_initiated,"%Y-%m-%dT %H:%M:%S.%QZ")
| where termination_started>=relative_time(now(),"-6d@d")

 

 

Labels (4)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The strptime format string doesn't match the example data.  Try

 

"%Y-%m-%dT%H:%M:%S.%3N%:z"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Aside from @richgalloway comment about format issues, if this is the real query

| eval terminiation_started=strptime(termination_initiated,"%Y-%m-%dT %H:%M:%S.%QZ")
| where termination_started>=relative_time(now(),"-6d@d")

then the name 'terminiation_started' has an extra 'i', so is not the field you are using in the where clause.

Second issue: Is that example a single event containing two values of the field?

If so, then the logic will not work anyway with the changes suggested.

If it's a multivalue field then you would need something like this

| eval rt=relative_time(now(),"-6d@d")
| where tonumber(max(mvmap(termination_started, if(termination_started>=rt, 1, 0))))>0

Also, is your _time field different to this termination initiation field? 

tayvionp
Explorer

@bowesmana Thanks, the _time value is indeed different from the "termination_started" field. Also, the 2 values are the first 2 results. They aren't multi-value

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The strptime format string doesn't match the example data.  Try

 

"%Y-%m-%dT%H:%M:%S.%3N%:z"

 

---
If this reply helps you, Karma would be appreciated.

tayvionp
Explorer

Thanks this was the needed format

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...