Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I look back 7 days from when an event occurred?

auaave
Communicator
‎05-07-2018 09:14 PM

Hey Guys,

I have a daily report that is showing the # of orders planned and completed for the day. However, sometimes the order plan and completion doesn't always happen on the same day. Some of the information that I need are available on when the order is received. Therefore, if the order was completed today but it was received yesterday, these information were lost. I have added earliest=-7d on my query but this is looking back 7 days when the search was done and not 7 days when the event happened.

The below query works when we are looking at today's order but when we have to look back at few months report then it doesn't work properly. How can I make it look at 7 days when the event happened? Thanks a lot!

| join type=outer BATCHNO 
    [ search index=* source="WCT_4BATCH_STATUS" STATUS=RECEIVED earliest=-7d 
    | eval RFT=strptime(RFT,"%Y-%m-%d %H:%M:%S.%N") 
    | stats max(RFT) as rft by BATCHNO] 
| join type=outer ORDERNO 
    [ search index=* source="WCT_4DELIVERY_ORDER_STATUS" STATUS=RECEIVED earliest=-7d 
    | rex field=ORDERNO "-(?<ORDERNO>\d+)" 
    | stats values(SIOFLAG) as flag by ORDERNO]
0 Karma
Reply

Shan
Builder
‎05-08-2018 10:14 PM

@auaave - If you want to achieve it. Check if you have any date information or date filed in your events. You can pick that date and filter the required information.. For example if you have a filed like order_date or order_close_date then you can filter the data with help of it rather than using earliest and latest. kindly check based on what timestamp data are indexed into splunk..

0 Karma
Reply

dstaulcu
Builder
‎05-08-2018 05:56 PM

What were you doing in the 7 days that preceded the murder?

sourcetype=actions person="you" 
        [ search action=murder 
        | eval earliest = (_time -7 * 86400), latest = (_time) 
        | fields host earliest latest 
        | format "(" "(" "" ")" "OR" ")" ]

Thanks Splunk mug!

0 Karma
Reply

consultanteIman
New Member
‎05-08-2018 06:19 AM

Hello ,

I think you have to retrieve the timestamp of the event, and then subtract 7 days converted to timestamp of your original timestamp .

i hope that help you.

regards ,

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...