I have installedAt field which gives the application's installation time.
If I run a Splunk search for the last 7 days it shows the application installed at different times.
So I want the query to find the applications installed in the last 7 days.
Hi @alexspunkshell,
add, at the end of the search, a condition that excludes durations less than 7 days (604,800 seconds):
<your_search>
| eval duration=now()-strptime(InstalledAt,"%Y-%m-%dT%H:%M:%S.%6N")
| where duration>604800
| eval duration=tostring(duration,"duration")
| table _time InstalledAt duration
Ciao.
Giuseppe
You appear to have two different time formats in use - try something like this
| where now()-coalesce(strptime(installedAt,"%Y-%m-%dT%H:%M:%S.%6N%Z"),strptime(installedAt,"%Y-%m-%dT%H:%M:%S%Z")) < (60*60*24*7)
@ITWhisperer @gcusello Tried using the queries. But no results.
Hi @alexspunkshell,
there are two choices:
Ciao.
Giuseppe
Though I gave | search duration <7+ condition, I am getting results other results. How to exclude the results within 7 days.
Hi @alexspunkshell,
add, at the end of the search, a condition that excludes durations less than 7 days (604,800 seconds):
<your_search>
| eval duration=now()-strptime(InstalledAt,"%Y-%m-%dT%H:%M:%S.%6N")
| where duration>604800
| eval duration=tostring(duration,"duration")
| table _time InstalledAt duration
Ciao.
Giuseppe
Given that your example times are 4-5 years ago, could it be that you haven't had any installs in the last 7 days?
@ITWhisperer @gcusello I have new installs but the query is updating the latest time to all results and showing all the results. Here I need the installation that occurred over the past 7 days.
The dedup will mean you will only get one result per agentComputerName - if you want the other dates, you should
| dedup agentComputerName installedAt
Hi @alexspunkshell,
you could run a search like the following:
<your_search>
| eval duration=tostring(now()-strptime(InstalledAt,"%Y-%m-%dT%H:%M:%S.%6N"),"duration")
| table _time InstalledAt duration
Ciao.
Giuseppe