Splunk Search

How do I search records for today and 120 days back?

tferranteku
Explorer
sort -date | dedup Date_Month_Year | where Date>1575183600

I need this query to run only for the past 120 days from today. I can put in the date manually as above, but need this to be more automated so anyone can run this query and get results for the current to 120 day range.

I have the following fields:
Date Date_Friendly Date_Month_Year Host_Count
15786200 01/01/2020 January 2020 1234

I have tried 2 things and neither works.

where (strptime(Date, "%m/%d/%Y")>=strptime("4/2/2018", "%m/%d/%Y")) AND (strptime(Date, "%m/%d/%Y")>=strptime("4/10/2018", "%m/%d/%Y"))

| eval Date="1/1/2020" 
| eval timestampDate=strptime(Date, "%m/%d/%Y")  
| eval timestampStart=strptime("1/1/2020", "%m/%d/%Y") 
| eval timestampEnd=strptime("5/1/2020", "%m/%d/%Y") 
| eval formattedTimestamp = strftime(timestamp,"%Y-%m-%dT%H:%M:%S") 
| where timestampDate >= timestampStart AND timestampDate <= timestampEnd
0 Karma
1 Solution

tferranteku
Explorer

I worked out my answer:

dedup Date_Month_Year _ | Sort Date | eval Range=now() | eval StartRange=(Range-10518972) | where Date>StartRange

View solution in original post

0 Karma

tferranteku
Explorer

I worked out my answer:

dedup Date_Month_Year _ | Sort Date | eval Range=now() | eval StartRange=(Range-10518972) | where Date>StartRange

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try relative_time. It computes a new timestamp based on an existing time and a modifier string.

where (strptime(Date, "%m/%d/%Y")>=relative_time(now(), "-120d"))
---
If this reply helps you, Karma would be appreciated.
0 Karma

tferranteku
Explorer

Received the following error:
Error in 'where' command: The expression is malformed. Expected).

0 Karma

richgalloway
SplunkTrust
SplunkTrust

So add the missing ). See the updated answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

tferranteku
Explorer

You are correct that I was missing the ) -- but now i get No results found.

This is what i have so far that works but I need to simplify:

sort -date | dedup Date_Month_Year | where Date_Friendly="05/01/2020" or Date_Friendly="04/01/2020" or Date_Friendly="03/01/2020"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Now I'm lost. That last query seems to do something very different from the "120 days ago" in the original question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

tauliang
Communicator

Assuming your events have _time in them, besides the fields you already have, can you try this really quick?

... <whatever searches you have>
earliest =-120d@d

Or

earliest="01/01/2020:00:00:00" 
latest="05/01/2020:00:00:00" 

Either should work.

0 Karma

tferranteku
Explorer

I am getting Unknown search command 'earliest'

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...