Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I filter time in a specific field in Search time?

dfigurello
Communicator
‎09-23-2014 09:06 AM

Hi Splunkers,

I need help creating a filter in a specific time field. My search is:

sourcetype=google is_disabled=False | eval n=strptime(accounts_last_login_time, "%Y-%m-%d") | convert timeformat="%d/%m/%Y" ctime(n) AS last_login | table login, last_login

So now, I need a help to create a filter to get users that haven't been logged in the previous 45 days.
(last_login > 45 days).

Any idea?

Cheers!

0 Karma
Reply

ltrand
Contributor
‎09-23-2014 11:42 AM

First you need to quantify the unknown (who are all of the users), or assume some level of inefficiency/error.

So, you could run your search on "All Time" and anything older than 45 days becomes the search criteria, but it's an expensive search and it assumes you have perfect logging and all users have utilized this at least once.

OR!

You need to give it a list of all users. A lookup.csv that is fed into Splunk at some normal interval for indexing and then it can search only within 45 days of current time and then spit out anyone not on the list.

That really is your first challenge since your methodology of determining who is a user will dictate what the search query will look like.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top