Solved: How to exclude events where the date greater than ...

ebruozys · ‎06-25-2018

Hi,

Is there a way to exclude events in a search where a specific date field (not timestamp) is greater than today. Sow i only want to see events where the specified date field is today or smaller.

FrankVl · ‎06-25-2018

Try the following, which first parses the date field into a proper date/time value. Then calculates the date/time value for today and then filters events that have a date smaller or equal to today.

... your base search ...
| eval filterdate = strptime(date,"%Y-%m-%d")
| eval today = relative_time(now(),"-0d@d")
| where filterdate <= today

View solution in original post

FrankVl · ‎06-25-2018

Try the following, which first parses the date field into a proper date/time value. Then calculates the date/time value for today and then filters events that have a date smaller or equal to today.

... your base search ...
| eval filterdate = strptime(date,"%Y-%m-%d")
| eval today = relative_time(now(),"-0d@d")
| where filterdate <= today

ebruozys · ‎06-25-2018

Hi Frank,

This is the answer I was looking for. I would rather exclude it in the base search but I guess with the readable time format that is not possible.

FrankVl · ‎06-25-2018

Can you provide some info on what field that date is in and how it is formatted?

ebruozys · ‎06-25-2018

The date field is in a human readable format as follows 2018-03-27 00:00:00.0, sow its YYYY-MM-DD.

How to exclude events where the date greater than today?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

How to exclude events where the date greater than today?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR