Splunk Search

How to generate a search that finds events that are older than 90 days?

srikanthpanchak
New Member

Hi,

Below is my sample event. I want to create a search base which would return all such below events where FirstOccurrence field is more than 90 days old. This is a date field showing the time stamp when the event triggered first. I want to look for such events which are older than 90 days. Can you please help me with this?

UPDATE:: "Dash-Time"=03/17/2017 09:52:02 AM!"Node"="TOKAR"!"NodeAlias"="TOK1-RR1"!"Severity"=3!"FirstOccurrence"=12/20/2016 03:36:41 PM!"LastOccurrence"=03/17/2017 09:52:02 AM!"Summary"="BGP Peer Connection Idle  ( bgpPeerRemoteAddr: 10.108.73.16 )"!"Count"=117648!"Category"="WAN,WAN-CORE"!"MonitoringAgent"="MttrapdProbe@c702quanmpnci"!"AlertGroup"="BGP Peer Status"!"AlertKey"="bgpPeerEntry.10.108.73.16"!"Maintenance"=0!"Identifier"="TOKAR bgpPeerEntry.10.108.73.16 BGP Peer Status 1 IETF-BGP MttrapdProbe@c702quanmpnci 2 1"!"Serial"=14261338!"Action"="" ::UPDATE
0 Karma

cmerriman
Super Champion

try something like this. you only need the rex if you don't already have the raw events broken out.

....|rex field=_raw "FirstOccurrence(?<FirstOccurrence>.*)!"LastOccurrence"
|eval FirstOccurrence=strptime(FirstOccurrence,"%m/%d/%Y %H:%M:%S %p")
|eval lastNinetyDays=now()-7776000
|where FirstOccurrence<=lastNinetyDays

DalJeanis
Legend

In the rex, you need to escape the quote before "LastOccurrence", but actually I'd just delete everything after the ! since the ! is the delimiter.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...