I have this dataset in SPlunk, I am trying to see only the events where "firstSeen" is within the last 7 days.
I tried to | where firstSeen<7d but that didn't work also.
| state | Age | dnsName | firstSeen | ip | lastSeen | severity | pluginID |
| open | 32.49 | 28-Nov-22 | 28-Nov-22 | 10.102.10.1 | 29-Nov-22 | informational | 10180 |
| open | 1 | Cat | 28-Nov-22 | 10.102.1.23 | 29-Nov-22 | informational | 11219 |
| open | 34.06 | 22-Nov-22 | 29-Nov-22 | informational | 19506 | ||
| open | 5.6 | Dog | 23-Nov-22 | 28-Nov-22 | informational | 168007 | |
| open | 22.65 | Lion | 6-Nov-22 | 28-Nov-22 | informational | 166958 | |
| open | 31.64 | tiger | 28-Oct-22 | 28-Nov-22 | informational | 166602 | |
| open | 120.63 | giraf | 25-Nov-22 | 28-Nov-22 | informational | 163588 | |
| open | 68.47 | leap | 21-Sep-22 | 28-Nov-22 | informational | 163489 | |
| open | 68.47 | big dog | 21-Sep-22 | 28-Nov-22 | informational | 163488 |
This is the query that i used, it is returning no results
index=tenable* sourcetype="*" | where pluginID <1000000
| eval firstSeen=strftime(firstSeen, "%m/%d/%Y %H:%M:%S")
| eval lastSeen=strftime(lastSeen, "%m/%d/%Y %H:%M:%S")
| eval discovery = strptime(lastSeen, "%m/%d/%Y %H:%M:%S") - strptime(firstSeen, "%m/%d/%Y %H:%M:%S")
| eval Age = round(discovery / 86400, 2)
| eval firstSeen =strftime(strptime(firstSeen,"%m/%d/%Y %H:%M:%S"),"%d-%B-%y")
| eval lastSeen =strftime(strptime(lastSeen,"%m/%d/%Y %H:%M:%S"),"%d-%B-%y")
| dedup pluginID
| where firstSeen>now()-7*86400
| table State Age dnsName firstSeen ip lastSeen severity pluginID
Purely based on your sample code, there are several mistakes; the most serious one is to trying to calculate numeric value based on output from strftime which is a string.
If I take blind faith in your code, I'd modify it to
index=tenable* sourcetype="*" | where pluginID <1000000
| dedup pluginID
| eval discovery = lastSeen - firstSeen
| eval Age = round(discovery / 86400, 2)
| where relative_time(firstSeen, "+7d") < now()
| fieldformat firstSeen =strftime(firstSeen,"%d-%B-%y")
| fieldformat lastSeen =strftime(lastSeen,"%d-%B-%y")
| table State Age dnsName firstSeen ip lastSeen severity pluginID
How is it that your "dataset" contains a field "Age" but you are also calculating it based on a field that doesn't exist in your dataset, namely "lastSeen"? Is that table what is output, not what is your dataset?
Without knowing what your raw data looks like, no one can tell you what to expect.
It's hard to be certain from this table but the firstSeen will most probably be a string. You have to parse it with strptime to a nummerical timestamp. Then you simply filter with
| where your_timestamp>now()-7*86400