Check if the date in splunk message is between 2 d...

ghostrider · ‎07-21-2023

I have a splunk event with below format:

{

message

{

DATE: 2023-07-20T11:53:04

}

I want to find all the events that have the above DATE field in a particular range. However below query is not yielding any results. Is something wrong with it?

BASE SEARCH
| message.DATE >= strftime("2023-07-20T11:50:04","%Y-%m-%dT%H:%M:%S")   AND  message.DATE <= strftime("2023-07-20T11:56:04","%Y-%m-%dT%H:%M:%S")

gcusello · ‎07-21-2023

hi @ghostrider,

your search isn't correct because there isn't a command before message.DATE.

In addition sometimes eval and where have problems with fields containing dots.

at least to compare dates, you have to transform them in epochtime using strptime, so please try this

BASE SEARCH
| rename message.DATE AS DATE
| eval DATE_epoch=strptime(DATE,"%Y-%m-%dT%H:%M:%S")
| where DATE_epoch >= strptime("2023-07-20T11:50:04","%Y-%m-%dT%H:%M:%S") AND DATE_epoch <= strptime("2023-07-20T11:56:04","%Y-%m-%dT%H:%M:%S")

Ciao.

Giuseppe

Check if the date in splunk message is between 2 dates

fields

lookup

metadata

subsearch

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?