Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get eval command to display results with X ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
neerajs_81
Builder
12-15-2022
10:52 PM
Hi All, i have a field "last_seen" which shows date in the below format . My requirement is to compare today's date against this last_seen date and show only those events which is 3 days before today's date
| last_seen |
| 2022-12-15T19:46:55Z |
| 2022-12-14T19:46:55Z |
| 2022-12-11T19:46:55Z |
I thought of calculating first a field that shows me the date 3 days before this last_seen value and then further doing a |where condition to show me the results. I tried the below calculation but deltaDays is coming out empty as splunk shows it blank . So the formula of now()-last_seen isn't working. Reference: https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-ex...
| eval deltaDays = (now() - last_seen)/86400 | where deltaDays >=3
| table last_seen deltaDays
Expected results ( given todays date is Dec 16). Show results from 3 days before
| last_seen |
| 2022-12-11T19:46:55Z |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Manasa_401
Communicator
12-16-2022
02:39 AM
Hi @neerajs_81
Try converting the last_seen into epoch format
|eval e_last_seen = strptime(last_seen,"%Y-%m-%dT%H:%M:%SZ")
Later you can perform the calculations as you did
| eval deltaDays = (now() - e_last_seen)/86400 | where deltaDays >=3
| table last_seen deltaDays
If this helps karma would be appreciated.
Thanks
Manasa
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Manasa_401
Communicator
12-16-2022
02:39 AM
Hi @neerajs_81
Try converting the last_seen into epoch format
|eval e_last_seen = strptime(last_seen,"%Y-%m-%dT%H:%M:%SZ")
Later you can perform the calculations as you did
| eval deltaDays = (now() - e_last_seen)/86400 | where deltaDays >=3
| table last_seen deltaDays
If this helps karma would be appreciated.
Thanks
Manasa
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
neerajs_81
Builder
12-16-2022
02:51 AM
THANK you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
12-15-2022
11:19 PM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
neerajs_81
Builder
12-16-2022
02:50 AM
Thank you for checking. I was making a mistake in the strptime() command. Had the time format mentioned incorrectly there.
Manasa's response worked
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
