sort -date | dedup Date_Month_Year | where Date>1575183600
I need this query to run only for the past 120 days from today. I can put in the date manually as above, but need this to be more automated so anyone can run this query and get results for the current to 120 day range.
I have the following fields:
Date DateFriendly DateMonthYear HostCount
15786200 01/01/2020 January 2020 1234
I have tried 2 things and neither works.
where (strptime(Date, "%m/%d/%Y")>=strptime("4/2/2018", "%m/%d/%Y")) AND (strptime(Date, "%m/%d/%Y")>=strptime("4/10/2018", "%m/%d/%Y"))
| eval Date="1/1/2020" | eval timestampDate=strptime(Date, "%m/%d/%Y") | eval timestampStart=strptime("1/1/2020", "%m/%d/%Y") | eval timestampEnd=strptime("5/1/2020", "%m/%d/%Y") | eval formattedTimestamp = strftime(timestamp,"%Y-%m-%dT%H:%M:%S") | where timestampDate >= timestampStart AND timestampDate <= timestampEnd
Assuming your events have _time in them, besides the fields you already have, can you try this really quick?
... <whatever searches you have> earliest =-120d@d
Either should work.
relative_time. It computes a new timestamp based on an existing time and a modifier string.
where (strptime(Date, "%m/%d/%Y")>=relative_time(now(), "-120d"))
So add the missing
). See the updated answer.
You are correct that I was missing the ) -- but now i get No results found.
This is what i have so far that works but I need to simplify:
sort -date | dedup DateMonthYear | where DateFriendly="05/01/2020" or DateFriendly="04/01/2020" or Date_Friendly="03/01/2020"
Now I'm lost. That last query seems to do something very different from the "120 days ago" in the original question.
I worked out my answer:
dedup DateMonthYear _ | Sort Date | eval Range=now() | eval StartRange=(Range-10518972) | where Date>StartRange