- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I configure a search to count 14 days b...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We've ingested some database tables for data that consists of changes being made in our environment. I'm looking to create a report that counts out two weeks at a time to find the next tasks that will occur. The timestamp we are reading is its own column so I evaluated that timestamp to a date and evaluated now.
[base search] | eval start=strptime(PLANNED_START,"%Y-%m-%d %H:%M:%S.%Q") | eval startDate=strftime(start,"%Y-%m-%d") | eval now=now()| eval todayDate=strftime(now,"%Y-%m-%d") | [table output]
From here, I want to be able to evaluate 14 days between "todayDate" and "startDate". What would be the best way to achieve this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, based on the comment, here is how to do what you want.
yoursearchhere
| eval start=strptime(PLANNED_START,"%Y-%m-%d %H:%M:%S.%Q")
| eval boundaryDate = relative_time(now(),"+14d")
| where start <= boundaryDate
| table whateveryouwant
The relative_time function is super useful...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, based on the comment, here is how to do what you want.
yoursearchhere
| eval start=strptime(PLANNED_START,"%Y-%m-%d %H:%M:%S.%Q")
| eval boundaryDate = relative_time(now(),"+14d")
| where start <= boundaryDate
| table whateveryouwant
The relative_time function is super useful...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Doesn't seem to have the desired effect. It does cut the number of events down so it's doing something but it doesn't seem to be limited to the 14 days I want it to be limited to.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Going on your solution, I also evaluated "now" to its own value and limited it by only showing events where the start time is > now
yoursearchhere
| eval start=strptime(PLANNED_START,"%Y-%m-%d %H:%M:%S.%Q")
| eval boundaryDate = relative_time(now(),"+14d")
| eval now=now()
| where start <= boundaryDate
| where start > now
| table whateveryouwant
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, "find the next tasks that will occur" sounds like you are looking for future events. And I don't know what "evaluate 14 days" means either.
Can you explain your input and your desired output?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the PLANNED_START field is a column from a table in which a user inputs the value of when they plan to start the task (the task being the whole event itself). I'm trying to create a report that reads the "startDate" field and determines if the date is within the next two weeks from when the report is ran.
Ideally this would be run every morning and show two weeks of tasks from that moment (todayDate).
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
