Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Find a results between two dates (initial date and limit date) .

lucasdc
New Member
‎04-18-2019 11:24 AM

Hi Splunkers , I've tried this query to return events between two specific dates.

Here is the query:

index="db_rsa_archer"
| eval Data Identificada=strptime('Step Due Date', "%d/%m/%Y/")
| eval days = round((now()-dateDue))
| fields "Nome do Projeto"
| table "Nome do Projeto" ,"Data Identificada"
| dedup "Nome do Projeto"

So , I gotta find results between 18/04/2018 until 18/04/2019 (limit date) in this string field (Data Identificada) and then remove the duplicates by "Nome do Projeto"

The result is supposed to be 25 events , but it returns for me 313 events.

Thank you!

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-22-2019 06:58 PM

Try this:

index="db_rsa_archer" 
| eval Data_Identificada=strptime('Step Due Date', "%d/%m/%Y")
| where Data_Identificada >= relative_time(now(), "-1y") AND Data_Identificada <= now()
| dedup "Nome do Projeto"
| table "Nome do Projeto" ,"Data Identificada"

P.S. Spaces and Hyphens in field names are evil.

0 Karma
Reply

lucasdc
New Member
‎04-24-2019 07:20 AM

Hi woodcock! thanks for helping me.

The query isnt working , the splunk says that there is an error in where command, the expression is malformed.

0 Karma
Reply

cmerriman
Super Champion
‎04-18-2019 01:13 PM

If I understand, you have a field called Step Due Date that has a date formatted %d/%m/%Y and you want to know how many days are between that date and today?

Try this:

index="db_rsa_archer" 
| fields "Step Due Date" "Nome do Projeto"
| rename "Step Due Date" as step_due_date
| eval Data_Identificada=strptime(step_due_date, "%d/%m/%Y")
| eval days = round((now()-Data_Identificada)/86400)
| table "Nome do Projeto" ,"Data_Identificada"
| dedup "Nome do Projeto"

some of the issues were using the wrong field names. let me know if this helps

0 Karma
Reply

lucasdc
New Member
‎04-22-2019 12:42 PM

Blockquote

Hi cmerriman! Thanks for helping me! I think that I've told something wrong because the query isn't working.

Actually , I have a field which name is "Data Identificada" , all the values inside in this field are strings and the format is d/m/y.I have to make a search that will return for me all the results since today (22/04/2019) until 22/04/2018 and dedup all the results found.

that's the answer!

Could you help to build this query? I pay for you! if you dont mind and pass me your number I would appreciate

Thanks

0 Karma
Reply

woodcock
Esteemed Legend
‎04-24-2019 08:46 AM

I forgot an ). I edited and fixed my original answer.

0 Karma
Reply

cmerriman
Super Champion
‎04-22-2019 01:03 PM

before the dedup, try adding a |where days<=365
or is there not even data coming back when you run
index="db_rsa_archer"
| fields "Step Due Date" "Nome do Projeto"
| rename "Step Due Date" as step_due_date
| eval Data_Identificada=strptime(step_due_date, "%d/%m/%Y")
| eval days = round((now()-Data_Identificada)/86400)

based on what you have shown in your question, you have a field called "Step Due Date" that is a string in the format of d/m/y and you create "Data Identificada" from that.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...