Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I filter time in a specific field in Search time?

dfigurello
Communicator
‎09-23-2014 09:06 AM

Hi Splunkers,

I need help creating a filter in a specific time field. My search is:

sourcetype=google is_disabled=False | eval n=strptime(accounts_last_login_time, "%Y-%m-%d") | convert timeformat="%d/%m/%Y" ctime(n) AS last_login | table login, last_login

So now, I need a help to create a filter to get users that haven't been logged in the previous 45 days.
(last_login > 45 days).

Any idea?

Cheers!

0 Karma
Reply

ltrand
Contributor
‎09-23-2014 11:42 AM

First you need to quantify the unknown (who are all of the users), or assume some level of inefficiency/error.

So, you could run your search on "All Time" and anything older than 45 days becomes the search criteria, but it's an expensive search and it assumes you have perfect logging and all users have utilized this at least once.

OR!

You need to give it a list of all users. A lookup.csv that is fed into Splunk at some normal interval for indexing and then it can search only within 45 days of current time and then spit out anyone not on the list.

That really is your first challenge since your methodology of determining who is a user will dictate what the search query will look like.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top