Solved: Extract data of last 6 months

manohart31 · ‎06-05-2013

2013-06-05T07:07:05+00:00 postid="320697584669392_369735733098910" message="Old Lithographs portrait from the collection at Elgin Silver Oaks Kalimpong" time="2012-07-26" likes="1" comments="0" fromid="32069758466939

how to extract data of last 6 month depending on time

kristian_kolb · ‎06-05-2013

Assumption:

You do not need to further back in _time than 6 months, i.e. your values of time will always be earlier than the event timestamp. Therefore you can extract the epoch representation of time and see if it's more than 6 months ago (15811200 seconds), compared to now().

sourcetype = blah earliest = -6mon 
| eval XXX = strptime(time, "%Y-%m-%d") 
| eval YYY = now() - XXX
| where YYY < 15811200

UPDATE:

You could probably make it even easier by using time as _time;

sourcetype = blah earliest = -6mon 
| eval _time = strptime(time, "%Y-%m-%d") 
| search * earliest=-6mon

/K

View solution in original post

kristian_kolb · ‎06-05-2013

Assumption:

You do not need to further back in _time than 6 months, i.e. your values of time will always be earlier than the event timestamp. Therefore you can extract the epoch representation of time and see if it's more than 6 months ago (15811200 seconds), compared to now().

sourcetype = blah earliest = -6mon 
| eval XXX = strptime(time, "%Y-%m-%d") 
| eval YYY = now() - XXX
| where YYY < 15811200

UPDATE:

You could probably make it even easier by using time as _time;

sourcetype = blah earliest = -6mon 
| eval _time = strptime(time, "%Y-%m-%d") 
| search * earliest=-6mon

/K

Extract data of last 6 months

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...