Splunk Search

How can I look back 7 days from when an event occurred?

auaave
Communicator

Hey Guys,

I have a daily report that is showing the # of orders planned and completed for the day. However, sometimes the order plan and completion doesn't always happen on the same day. Some of the information that I need are available on when the order is received. Therefore, if the order was completed today but it was received yesterday, these information were lost. I have added earliest=-7d on my query but this is looking back 7 days when the search was done and not 7 days when the event happened.

The below query works when we are looking at today's order but when we have to look back at few months report then it doesn't work properly. How can I make it look at 7 days when the event happened? Thanks a lot!

| join type=outer BATCHNO 
    [ search index=* source="WCT_4BATCH_STATUS" STATUS=RECEIVED earliest=-7d 
    | eval RFT=strptime(RFT,"%Y-%m-%d %H:%M:%S.%N") 
    | stats max(RFT) as rft by BATCHNO] 
| join type=outer ORDERNO 
    [ search index=* source="WCT_4DELIVERY_ORDER_STATUS" STATUS=RECEIVED earliest=-7d 
    | rex field=ORDERNO "-(?<ORDERNO>\d+)" 
    | stats values(SIOFLAG) as flag by ORDERNO] 
0 Karma

Shan
Builder

@auaave - If you want to achieve it. Check if you have any date information or date filed in your events. You can pick that date and filter the required information.. For example if you have a filed like order_date or order_close_date then you can filter the data with help of it rather than using earliest and latest. kindly check based on what timestamp data are indexed into splunk..

0 Karma

dstaulcu
Builder

What were you doing in the 7 days that preceded the murder?

sourcetype=actions person="you" 
        [ search action=murder 
        | eval earliest = (_time -7 * 86400), latest = (_time) 
        | fields host earliest latest 
        | format "(" "(" "" ")" "OR" ")" ] 

Thanks Splunk mug!

0 Karma

consultanteIman
New Member

Hello ,

I think you have to retrieve the timestamp of the event, and then subtract 7 days converted to timestamp of your original timestamp .

i hope that help you.

regards ,

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...