Getting Data In

How do I extract these events between two date ranges?

Saikarankot
Engager

Hello!, First time posting here. Just started learning Splunk and I am trying to extract events between two date ranges   4/6/2021 and 4/7/2021.

I tried one of the earlier suggested answers which wereSS_2.pngSS_1.png

 

 

 

 

index="security" 
| eval Date="04/07/2021" 
| eval timestampDate=strptime(Date, "%m/%d/%Y") 
| eval timestampStart=strptime("04/06/2021", "%m/%d/%Y") 
| eval timestampEnd=strptime("04/07/2021", "%m/%d/%Y") 
| eval formattedTimestamp = strftime(timestamp,"%Y-%m-%dT%H:%M:%S") 
| where timestampDate >= timestampStart AND timestampDate <= timestampEnd

 

 

 

 

and 

 

 

 

 

index="security" | eval Date="4/7/2021" | where (strptime(Date, "%m/%d/%Y")>=strptime("4/6/2021", "%m/%d/%Y")) AND (strptime(Date, "%m/%d/%Y")<=strptime("4/7/2021", "%m/%d/%Y"))

 

 

 

 

 But the queries return all the events available in the log file. Attaching the screenshots here. 

Here the sample from the index.

Sample_event.png

Can someone please assist, thanks in advance.

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Saikarankot,

I suppose that you are not speaking of identify two dates using Time Picker.

In this case you can use something lie this:

index=security (earliest="10/03/2022:00:00:00" latest="10/05/2022:00:00:00")

beware to the format of the timestamp!

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Saikarankot,

I suppose that you are not speaking of identify two dates using Time Picker.

In this case you can use something lie this:

index=security (earliest="10/03/2022:00:00:00" latest="10/05/2022:00:00:00")

beware to the format of the timestamp!

Ciao.

Giuseppe

Saikarankot
Engager

Hi @gcusello . Apologies for the late response.

Thank you so much, this works.  I'm also curious why queries that I tried earlier didn't work.  Would you be able to shed some light on that? 

Best Regards,
Sai

 
 
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Saikarankot,

probably the proble is in the format of those fields.

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...