Solved: Events older then 30 days

DTERM · ‎06-25-2012

The following is a sample entry from a splunk index...

lastOccurrence=2012-06-25 18:42:38.0|firstOccurrence=2012-06-18 14:45:59.0|writeTime=2012/06/25 18:40:55|actionCode=U|actionTime=2012-06-25 18:42:39.0|serverName=SERVER1|serverSerial=300998|identifier=10.169.255.trap61 server1.mydomain.com Host State - UP/DOWN|severity=0|alertText=PING OK - Packet loss = 0%, RTA = 0.03 ms|businessUnit=HQ|cmName=server.mydomain.com|deletedBy=|dmName=None|hostGroup=|msgSrc=Nagios|nagios_duration=0d 0h 0m 0s|netcool_duration=|productName=PRIMARY SERVICES|serviceName=Host State - UP/DOWN|supportGroup=SYSADMIN|tally=8200|tgtHostname=server1.mydomin.com|ticketNumber=

How can I extract events that are older then 30 days based on the lastOccurance field. Note the format of the field, I'm not concerned with the hours, minutes, or seconds.

Thanks in advance.

lguinn2 · ‎06-25-2012

I agree with Ayn - you might be able to search based on the splunk timestamp; the search would look like

source=yourfilename latest=-30d@d earliest=0

But, if you really want to search based on the lastOccurance field:

lastOccurence=*
| eval testDate=strptime(lastOccurence,"%Y-%m-%d")
| where testDate < relative_time(now(),"-30d@d")

Duh - I cannot type sometimes. It is probably the spelling.

View solution in original post

lguinn2 · ‎06-25-2012

I agree with Ayn - you might be able to search based on the splunk timestamp; the search would look like

source=yourfilename latest=-30d@d earliest=0

But, if you really want to search based on the lastOccurance field:

lastOccurence=*
| eval testDate=strptime(lastOccurence,"%Y-%m-%d")
| where testDate < relative_time(now(),"-30d@d")

Duh - I cannot type sometimes. It is probably the spelling.

lguinn2 · ‎06-27-2012

Does it give you any data? What do you get if you run this instead?

lastOccurence=*
| eval testDate=strptime(lastOccurence,"%Y-%m-%d")
| eval lastMo = relative_time(now(),"-30d@d")
| where testDate < lastMo
| table testDate lastMo lastOccurence

(And you might have to leave off the where command if you aren't getting any data)
- Updated for spelling -

meganarellano · ‎05-09-2018

I had to add an additional eval to get mine to work but this is the answer I've been searching for for a while. Thank you!

|eval test=relative_time(now(),"-90d@d")
|eval test2=strftime(test,"%Y-%m-%d")
|where StartDate > test2

ecanmaster · ‎12-22-2017

this one works, thx !!

Ayn · ‎06-27-2012

Make sure that the spelling of "lastOccurrence" is correct in your search command.

DTERM · ‎06-27-2012

That does not work. Not sure why, but it does not work.

Ayn · ‎06-25-2012

Isn't the lastOccurrence field already extracted as the timestamp Splunk uses itself?

Events older then 30 days

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation