Splunk Search
Highlighted

How can I look back 7 days from when an event occurred?

Communicator

Hey Guys,

I have a daily report that is showing the # of orders planned and completed for the day. However, sometimes the order plan and completion doesn't always happen on the same day. Some of the information that I need are available on when the order is received. Therefore, if the order was completed today but it was received yesterday, these information were lost. I have added earliest=-7d on my query but this is looking back 7 days when the search was done and not 7 days when the event happened.

The below query works when we are looking at today's order but when we have to look back at few months report then it doesn't work properly. How can I make it look at 7 days when the event happened? Thanks a lot!

| join type=outer BATCHNO 
    [ search index=* source="WCT_4BATCH_STATUS" STATUS=RECEIVED earliest=-7d 
    | eval RFT=strptime(RFT,"%Y-%m-%d %H:%M:%S.%N") 
    | stats max(RFT) as rft by BATCHNO] 
| join type=outer ORDERNO 
    [ search index=* source="WCT_4DELIVERY_ORDER_STATUS" STATUS=RECEIVED earliest=-7d 
    | rex field=ORDERNO "-(?<ORDERNO>\d+)" 
    | stats values(SIOFLAG) as flag by ORDERNO] 
0 Karma
Highlighted

Re: How can I look back 7 days from when an event occurred?

New Member

Hello ,

I think you have to retrieve the timestamp of the event, and then subtract 7 days converted to timestamp of your original timestamp .

i hope that help you.

regards ,

0 Karma
Highlighted

Re: How can I look back 7 days from when an event occurred?

Builder

What were you doing in the 7 days that preceded the murder?

sourcetype=actions person="you" 
        [ search action=murder 
        | eval earliest = (_time -7 * 86400), latest = (_time) 
        | fields host earliest latest 
        | format "(" "(" "" ")" "OR" ")" ] 

Thanks Splunk mug!

0 Karma
Highlighted

Re: How can I look back 7 days from when an event occurred?

@auaave - If you want to achieve it. Check if you have any date information or date filed in your events. You can pick that date and filter the required information.. For example if you have a filed like orderdate or orderclose_date then you can filter the data with help of it rather than using earliest and latest. kindly check based on what timestamp data are indexed into splunk..

0 Karma