Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to subtract days from earliest?

verothor
Path Finder
‎11-26-2022 02:20 AM

Hi,

I need to subtract -30d from earliest, where earliest is counted by token.

I tried to convert token result to unix time and subtract unix date counted from token- 2628000 but this doesn't work.

The token will use day before today with hour 14:30 or 23:59 so I need to have this exact time for latest to be chosen but I need to look with earliest 30 days ago this exact date and time?

index="*" sourcetype="*"  earliest=1669296600.000000-2628000.000000 latest=1669296600.000000

OR

index="*" sourcetype="*"  earliest="11/24/2022 14:30:00"-30d latest="11/24/2022 14:30:00"

 

It is possible, could someone please help?

Thank you in advance.

 

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-26-2022 10:54 AM

Try something like this

index="*" sourcetype="*" [| makeresults
  | eval earliest=relative_time(latest,"-30d")
  | fields earliest latest
  | format]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

verothor
Path Finder
‎11-30-2022 01:04 AM

Thank you, this helped!

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-26-2022 10:54 AM

Try something like this

index="*" sourcetype="*" [| makeresults
  | eval earliest=relative_time(latest,"-30d")
  | fields earliest latest
  | format]
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...