Splunk Search

How to search from custom time field?

kpavan
Path Finder

Hi All,

I have logs which is from db_inputs/custom_script where owner not indexing custom time field as _time and they are importing all data every day without incremental. 

So i need to find assets which is last 7days with custom time field

custom time field is last_found,

2020-07-06T17:42:29.322Z

2020-01-06T17:42:29.322Z

2020-01-05T17:42:29.322Z

2020-01-04T17:42:29.322Z

from these date&time how can i search assets which is only last 7days from last_found custom time field. Please help on the query that would be great help.

 

Thanks!

0 Karma
1 Solution

jamie00171
Communicator

Hi @kpavan ,

You could use strptime to convert last_found to an epoch timestamp: https://docs.splunk.com/Documentation/SCS/current/SearchReference/DateandTimeFunctions#strptime

Then do something like: 

| eval seven_days_ago=relative_time(now(), "-7d")

Then search for events where last_found > seven_days_ago

Thanks,

Jamie

View solution in original post

0 Karma

jamie00171
Communicator

Hi @kpavan ,

You could use strptime to convert last_found to an epoch timestamp: https://docs.splunk.com/Documentation/SCS/current/SearchReference/DateandTimeFunctions#strptime

Then do something like: 

| eval seven_days_ago=relative_time(now(), "-7d")

Then search for events where last_found > seven_days_ago

Thanks,

Jamie

0 Karma

kpavan
Path Finder

Thanks you @jamie00171,

I tried your solution with below query, I think am getting expected results. Thanks agian!

| eval etime=(strftime(strptime(last_found,"%Y-%m-%dT%H:%M:%S.%Q%Z"),"%s"))
| eval seven_days_ago=relative_time(now(), "-7d")
| where etime > seven_days_ago

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...