I am setting up an alert on Splunk where my data is in below format. I am writing a query where it returns those row only where CertExpiry is in15 days.Basically alert should trigger if cert is getting expired in next 15days.
I suppose that you have these fields from a search.
You have to set up a condition that CertExpiry -now() is less than 15 days, something like this:
| stats latest(CertExpiry) AS CertExpiry BY Server Component
| eval CertExpiry=strptime(CertExpiry,"%B %d,%Y %I:%M:%S %p %Z")
| where CertExpiry>now()-1296000
Adapt the control logic to you use case.