Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Display events when current date is >= 30 days from expiration date

jsven7
Communicator
‎11-24-2015 10:41 AM

Spent all day trying to figure this out. The events I'm working with contain a field with an expiration date in Unix epoch time. I'm trying to bring up a table of events when current date is >= 30days before the expiration date. Combed through documentation and Splunk Answers no luck. Thanks in advance.

Example data:

expiration_date=1548910800000
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-24-2015 11:41 AM

Like this:

... | eval deltaDays = (now() - expiration_date)/86400 | where deltaDays>=30

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-24-2015 11:41 AM

Like this:

... | eval deltaDays = (now() - expiration_date)/86400 | where deltaDays>=30
Reply
Solved! Jump to solution

jsven7
Communicator
‎11-24-2015 12:29 PM

Meant to write '<' instead of '>'. Its not giving events where now() is <= 30days of expiration_date

mysearch...
|eval now=now()
| eval deltaDays = (now() - expiration_date)/86400
| where deltaDays<=30
| table loginuid, token_serial, now, expiration_date

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-24-2015 12:58 PM

So did this work for you?

0 Karma
Reply
Solved! Jump to solution

jsven7
Communicator
‎11-30-2015 05:04 AM

Sorry for late response was out for Thanksgiving. Hope you enjoyed yours!

I'm trying to test with this:

my search | eval deltaDays = (now() - expiration_date)/86400 | where deltaDays<=30 | eval expiration_date=expiration_date/1000 | eval Expiration_date=strftime(expiration_date,"%m/%d/%Y") | table loginuid, token_serial, Expiration_date

I expect to see events where the Expiration_date field is <= 30 days from now() but this is not the case. Am I using the where command correctly?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-01-2015 06:32 AM

I did not look closely at your sample data and there is a problem there. It is neither in epoch, nor in any encoding that I can discern. If you can convert this to epoch, then my solution will work for you.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-01-2015 06:34 AM

Even if I assume it is in milliseconds, this converts to Thu, 31 Jan 2019 05:00:00 GMT!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-24-2015 11:03 AM

See if this gives you some ideas...

| eval dexpire=1548910800 | eval dback30=relative_time(ed, "-30d@d" ) | eval dnow=now() | table dexpire dback30 dnow | foreach d* [eval <>=strftime(<>, "%c")] | eval older=if(dnow>=dback30, "Y", "N")

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...