Re: Convert a time field and use that time to sear...

FraserC1 · ‎08-21-2020

Hi,

I have a search which returns a filed name: create_time and the results are like this:

2020-08-11T17:10:00+0000

What I want to do is this search:

index="automox" sourcetype="automox:software" severity=critical installed=true os_name="Server*" earliest=-1d
| dedup server_name name

But use the time in create_time as the basis for the earliest=-1d search. Is this sort of thing possible?

Cheers.

richgalloway · ‎08-21-2020

The earliest keyword applies only to the _time field. To filter on create_time, use a separate command after converting the field to epoch form.

index="automox" sourcetype="automox:software" severity=critical installed=true os_name="Server*" earliest=-1d
| eval created = strptime(create_time, "%Y-%m-%dT%H:%M:%S%z")
| where created > relative_time(now(), "-1d")
| dedup server_name name

---
If this reply helps you, Karma would be appreciated.

to4kawa · ‎08-21-2020

index="automox" sourcetype="automox:software" severity=critical installed=true os_name="Server*"
[search index="automox" sourcetype="automox:software" severity=critical installed=true os_name="Server*" earliest=-1d | dedup server_name name | eval creation_time=strptime(creation_time,"%FT%T%z") | eval earliest=relative_time(creation_time,"-1d") | stats min(earliest) as earliest]

FraserC1 · ‎08-21-2020

Hey thanks for looking at this for me. I ran this search and it returns zero results.
I am unclear what the purpose of the subsearch is here.

Convert a time field and use that time to search

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!