Solved: How to subtract days from earliest?

verothor · ‎11-26-2022

Hi,

I need to subtract -30d from earliest, where earliest is counted by token.

I tried to convert token result to unix time and subtract unix date counted from token- 2628000 but this doesn't work.

The token will use day before today with hour 14:30 or 23:59 so I need to have this exact time for latest to be chosen but I need to look with earliest 30 days ago this exact date and time?

index="*" sourcetype="*" earliest=1669296600.000000-2628000.000000 latest=1669296600.000000

OR

index="*" sourcetype="*" earliest="11/24/2022 14:30:00"-30d latest="11/24/2022 14:30:00"

It is possible, could someone please help?

Thank you in advance.

ITWhisperer · ‎11-26-2022

Try something like this

index="*" sourcetype="*" [| makeresults
  | eval earliest=relative_time(latest,"-30d")
  | fields earliest latest
  | format]

View solution in original post

verothor · ‎11-30-2022

Thank you, this helped!

ITWhisperer · ‎11-26-2022

Try something like this

index="*" sourcetype="*" [| makeresults
  | eval earliest=relative_time(latest,"-30d")
  | fields earliest latest
  | format]

How to subtract days from earliest?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation