Solved: How to subtract days from earliest?

verothor · ‎11-26-2022

Hi,

I need to subtract -30d from earliest, where earliest is counted by token.

I tried to convert token result to unix time and subtract unix date counted from token- 2628000 but this doesn't work.

The token will use day before today with hour 14:30 or 23:59 so I need to have this exact time for latest to be chosen but I need to look with earliest 30 days ago this exact date and time?

index="*" sourcetype="*" earliest=1669296600.000000-2628000.000000 latest=1669296600.000000

OR

index="*" sourcetype="*" earliest="11/24/2022 14:30:00"-30d latest="11/24/2022 14:30:00"

It is possible, could someone please help?

Thank you in advance.

ITWhisperer · ‎11-26-2022

Try something like this

index="*" sourcetype="*" [| makeresults
  | eval earliest=relative_time(latest,"-30d")
  | fields earliest latest
  | format]

View solution in original post

verothor · ‎11-30-2022

Thank you, this helped!

ITWhisperer · ‎11-26-2022

Try something like this

index="*" sourcetype="*" [| makeresults
  | eval earliest=relative_time(latest,"-30d")
  | fields earliest latest
  | format]

How to subtract days from earliest?

other

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes