Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Help with evaluating date
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with evaluating date
Hi all,
Struggling to get my Service Now times to evaluate just tickets older than 30 days. The date picker isn't picking them up (suspect because I renamed to a user friendly "Ticket Created" column. Wanted help to insert an eval command and keep the "Ticket Created" column user friendly.
Here's my current search:
index=snow (NOT "https://generalatomicsdev.service-now.com/") (sourcetype=snow:sc_task dv_assignment_group="SystemsInfra Operations" dv_state!=Closed*) OR (sourcetype=snow:incident assignment_group_name="SystemsInfra Operations" dv_state!=Resolved*) dv_assigned_to!="" | stats dc(number) by number,dv_assigned_to, dv_opened_at, sys_updated_on, sys_updated_by | sort dv_opened_at | fields - dc(number) | rename number AS "Ticket Id", dv_assigned_to AS "Ticket Holder", dv_opened_at AS "Ticket Created", sys_updated_on AS "Last Updated", sys_updated_by AS "Updated By"
I've tried inserting a "search dv_opened_at>=-30d" several ways, but appears Splunk wants a defined date format that I struggle to figure out. So went with inserting "eval dv_opened_at-relative_time(now(),"-30d")" but that changed the format of the "Ticket Created" column.
Ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Somesoni2!
Been a bit since I needed your lifeline. 🙂
I actually got it working after submitting the question and had to wait until today to add. Here's what I did that appears to work well:
"index=snow (NOT "https://generalatomicsdev.service-now.com/") (sourcetype=snow:incident (assignment_group_name="Applications (COTS)" OR assignment_group_name="Account Administration" OR assignment_group_name="SystemsInfra Operations") dv_state!=Resolved) OR (sourcetype=snow:sc_task (dv_assignment_group="Applications (COTS)" OR dv_assignment_group="Account Administration" OR dv_assignment_group="SystemsInfra Operations") dv_state!=Closed*) | rename number AS "Ticket Id", dv_assigned_to AS "Ticket Holder", dv_opened_at AS "Ticket Created", sys_updated_on AS "Last Updated" | where strptime('Ticket Created', "%m/%d/%Y %H:%M:%S %p")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your dv_opened_at field value is in epoch format, try like this
index=snow (NOT "https://generalatomicsdev.service-now.com/") (sourcetype=snow:sc_task dv_assignment_group="SystemsInfra Operations" dv_state!=Closed*) OR (sourcetype=snow:incident assignment_group_name="SystemsInfra Operations" dv_state!=Resolved*) dv_assigned_to!=""
| where dv_opened_at>=relative_time(now(),"-30d")
| stats dc(number) by number,dv_assigned_to, dv_opened_at, sys_updated_on, sys_updated_by | sort dv_opened_at | fields - dc(number) | rename number AS "Ticket Id", dv_assigned_to AS "Ticket Holder", dv_opened_at AS "Ticket Created", sys_updated_on AS "Last Updated", sys_updated_by AS "Updated By"
If it's a timestamp in string format, try like this (assuming the timestamp format is %Y-%m-%d %H:%M:%S, update per your date format)
index=snow (NOT "https://generalatomicsdev.service-now.com/") (sourcetype=snow:sc_task dv_assignment_group="SystemsInfra Operations" dv_state!=Closed*) OR (sourcetype=snow:incident assignment_group_name="SystemsInfra Operations" dv_state!=Resolved*) dv_assigned_to!=""
| where strptime(dv_opened_at,"%Y-%m-%d %H:%M:%S")>=relative_time(now(),"-30d")
| stats dc(number) by number,dv_assigned_to, dv_opened_at, sys_updated_on, sys_updated_by | sort dv_opened_at | fields - dc(number) | rename number AS "Ticket Id", dv_assigned_to AS "Ticket Holder", dv_opened_at AS "Ticket Created", sys_updated_on AS "Last Updated", sys_updated_by AS "Updated By"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @gabarrygowin,
your current search is not all here, right?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Mile High Learning with Splunk University, Denver, Colorado
IT Service Intelligence 5.0 Series: Your Guide to the June Launch
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
