Solved: How to search from custom time field?

kpavan · ‎06-08-2022

Hi All,

I have logs which is from db_inputs/custom_script where owner not indexing custom time field as _time and they are importing all data every day without incremental.

So i need to find assets which is last 7days with custom time field

custom time field is last_found,

2020-07-06T17:42:29.322Z

2020-01-06T17:42:29.322Z

2020-01-05T17:42:29.322Z

2020-01-04T17:42:29.322Z

from these date&time how can i search assets which is only last 7days from last_found custom time field. Please help on the query that would be great help.

Thanks!

jamie00171 · ‎06-08-2022

Hi @kpavan ,

You could use strptime to convert last_found to an epoch timestamp: https://docs.splunk.com/Documentation/SCS/current/SearchReference/DateandTimeFunctions#strptime

Then do something like:

| eval seven_days_ago=relative_time(now(), "-7d")

Then search for events where last_found > seven_days_ago

Thanks,

Jamie

View solution in original post

jamie00171 · ‎06-08-2022

Hi @kpavan ,

You could use strptime to convert last_found to an epoch timestamp: https://docs.splunk.com/Documentation/SCS/current/SearchReference/DateandTimeFunctions#strptime

Then do something like:

| eval seven_days_ago=relative_time(now(), "-7d")

Then search for events where last_found > seven_days_ago

Thanks,

Jamie

kpavan · ‎06-09-2022

Thanks you @jamie00171,

I tried your solution with below query, I think am getting expected results. Thanks agian!

| eval etime=(strftime(strptime(last_found,"%Y-%m-%dT%H:%M:%S.%Q%Z"),"%s"))
| eval seven_days_ago=relative_time(now(), "-7d")
| where etime > seven_days_ago

How to search from custom time field?

other

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!