How do I filter time in a specific field in Search...

dfigurello · ‎09-23-2014

Hi Splunkers,

I need help creating a filter in a specific time field. My search is:

sourcetype=google is_disabled=False | eval n=strptime(accounts_last_login_time, "%Y-%m-%d") | convert timeformat="%d/%m/%Y" ctime(n) AS last_login | table login, last_login

So now, I need a help to create a filter to get users that haven't been logged in the previous 45 days.
(last_login > 45 days).

Any idea?

Cheers!

ltrand · ‎09-23-2014

First you need to quantify the unknown (who are all of the users), or assume some level of inefficiency/error.

So, you could run your search on "All Time" and anything older than 45 days becomes the search criteria, but it's an expensive search and it assumes you have perfect logging and all users have utilized this at least once.

OR!

You need to give it a list of all users. A lookup.csv that is fed into Splunk at some normal interval for indexing and then it can search only within 45 days of current time and then spit out anyone not on the list.

That really is your first challenge since your methodology of determining who is a user will dictate what the search query will look like.

How do I filter time in a specific field in Search time?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation