Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for an event from last week based on time value field?

vnguyen46
Contributor
‎06-18-2019 06:27 AM

Hi - I am searching for events based on time field Last_Login_Time (sample value: 2019-06-13T20:26:12.000Z) which happened in last one week.
In SQL, it can be Last_Login_Time > getdate() - 7. How it works in Splunk?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎06-18-2019 07:30 AM

Hi,

Please try below query.

<yourBaseSearch>
| eval llt_epoch = strptime(Last_login_time, "%Y-%m-%dT%H:%M:%S.%3Q")
| where llt_epoch > now()-604800

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎06-18-2019 07:30 AM

Hi,

Please try below query.

<yourBaseSearch>
| eval llt_epoch = strptime(Last_login_time, "%Y-%m-%dT%H:%M:%S.%3Q")
| where llt_epoch > now()-604800
0 Karma
Reply
Solved! Jump to solution

vnguyen46
Contributor
‎06-18-2019 09:27 AM

Works perfectly. Script by VatsalJagani should work as well. Thank you!

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎06-18-2019 07:27 AM

Hello @vnguyen46,

You can write say the similar thing in Splunk also. | where Last_Login_Time > relative_time(now(),"-7d")

Make sure your field Last_Login_Time is in epoch format (integer). If it is not in epoch format, instead it is in string then you can convert to epoch format like: | eval Last_Login_Time=strptime(Last_Login_Time,"%Y-%m-%dT%H:%M:%S.%3Q").

In comparison SQL, you need to run this search in "All Time". But in Splunk if you know that some event for which Last Login Time is in last 7 days event can be in Last 10 days not before that, then you can reduce the timerange to Last 10 Days to help Splunk complete search quicker. Or if you know value we are finding for event cannot be before last 7 days then you can say timerange to Last 7 Days.

Hope this helps!!!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...