Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to search from custom time field?

kpavan
Path Finder
‎06-08-2022 09:21 AM

Hi All,

I have logs which is from db_inputs/custom_script where owner not indexing custom time field as _time and they are importing all data every day without incremental. 

So i need to find assets which is last 7days with custom time field

custom time field is last_found,

2020-07-06T17:42:29.322Z

2020-01-06T17:42:29.322Z

2020-01-05T17:42:29.322Z

2020-01-04T17:42:29.322Z

from these date&time how can i search assets which is only last 7days from last_found custom time field. Please help on the query that would be great help.

 

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jamie00171
Communicator
‎06-08-2022 10:15 AM

Hi @kpavan ,

You could use strptime to convert last_found to an epoch timestamp: https://docs.splunk.com/Documentation/SCS/current/SearchReference/DateandTimeFunctions#strptime

Then do something like: 

| eval seven_days_ago=relative_time(now(), "-7d")

Then search for events where last_found > seven_days_ago

Thanks,

Jamie

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jamie00171
Communicator
‎06-08-2022 10:15 AM

Hi @kpavan ,

You could use strptime to convert last_found to an epoch timestamp: https://docs.splunk.com/Documentation/SCS/current/SearchReference/DateandTimeFunctions#strptime

Then do something like: 

| eval seven_days_ago=relative_time(now(), "-7d")

Then search for events where last_found > seven_days_ago

Thanks,

Jamie

0 Karma
Reply
Solved! Jump to solution

kpavan
Path Finder
‎06-09-2022 02:22 AM

Thanks you @jamie00171,

I tried your solution with below query, I think am getting expected results. Thanks agian!

| eval etime=(strftime(strptime(last_found,"%Y-%m-%dT%H:%M:%S.%Q%Z"),"%s"))
| eval seven_days_ago=relative_time(now(), "-7d")
| where etime > seven_days_ago

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...