Splunk Search

How do I configure a search to count 14 days between now and a timestamp within my event?

Communicator

We've ingested some database tables for data that consists of changes being made in our environment. I'm looking to create a report that counts out two weeks at a time to find the next tasks that will occur. The timestamp we are reading is its own column so I evaluated that timestamp to a date and evaluated now.

[base search] | eval start=strptime(PLANNED_START,"%Y-%m-%d %H:%M:%S.%Q") | eval startDate=strftime(start,"%Y-%m-%d") | eval now=now()| eval todayDate=strftime(now,"%Y-%m-%d") | [table output]

From here, I want to be able to evaluate 14 days between "todayDate" and "startDate". What would be the best way to achieve this?

0 Karma
1 Solution

Legend

So, based on the comment, here is how to do what you want.

yoursearchhere
| eval start=strptime(PLANNED_START,"%Y-%m-%d %H:%M:%S.%Q") 
| eval boundaryDate = relative_time(now(),"+14d")
| where start <= boundaryDate
| table whateveryouwant

The relative_time function is super useful...

View solution in original post

0 Karma

Legend

So, based on the comment, here is how to do what you want.

yoursearchhere
| eval start=strptime(PLANNED_START,"%Y-%m-%d %H:%M:%S.%Q") 
| eval boundaryDate = relative_time(now(),"+14d")
| where start <= boundaryDate
| table whateveryouwant

The relative_time function is super useful...

View solution in original post

0 Karma

Communicator

Doesn't seem to have the desired effect. It does cut the number of events down so it's doing something but it doesn't seem to be limited to the 14 days I want it to be limited to.

0 Karma

Communicator

Going on your solution, I also evaluated "now" to its own value and limited it by only showing events where the start time is > now

 yoursearchhere
 | eval start=strptime(PLANNED_START,"%Y-%m-%d %H:%M:%S.%Q") 
 | eval boundaryDate = relative_time(now(),"+14d")
 | eval now=now()
 | where start <= boundaryDate
 | where start > now
 | table whateveryouwant
0 Karma

Legend

First, "find the next tasks that will occur" sounds like you are looking for future events. And I don't know what "evaluate 14 days" means either.
Can you explain your input and your desired output?

0 Karma

Communicator

So the PLANNED_START field is a column from a table in which a user inputs the value of when they plan to start the task (the task being the whole event itself). I'm trying to create a report that reads the "startDate" field and determines if the date is within the next two weeks from when the report is ran.

Ideally this would be run every morning and show two weeks of tasks from that moment (todayDate).

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!