Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use a date field that isn't _time to search HelpDesk tickets closed in the last 30 days?

justinfranks
Path Finder
‎09-07-2014 08:24 PM

Hello,

I am indexing HelpDesk tickets and I am trying to derive some stats about these tickets.

During the indexing of these events (indexed from a MySQL DB using DB Connect), I have set my timestamp field to be the date the ticket was opened. This generate events like this:

2014-09-07T23:05:44.000 tech_name="Justin Franks" client_name="Wilfred Server" job_ticket_id=10840 problem_type3=Backup problem_type2="Backup and Restore" problem_type1="INFORMATION TECHNOLOGY" department_name= first_response_date= close_date= status_type_name=Open last_updated=1410095145.000 group_name="IT | Backups"

Is there a way to search on which tickets have been closed in say... the last 30 days? How would I change _time to a different field and re-search on it?

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎09-07-2014 11:21 PM

Yes you can do that. The format of the close_date field is not given in your example, so let's assume it's epoch.

your search 
| eval recent_close = if((now() - close_date) < (30*86400),"1","0") 
| where recent_close = 1 
| blah blah

If you need to convert close_date to epoch (with the eval strptime() function), do so before making the comparison to now()

Just make sure that you search for a wide enough time-range, and not just the last 30 days.

/k

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎09-07-2014 11:21 PM

Yes you can do that. The format of the close_date field is not given in your example, so let's assume it's epoch.

your search 
| eval recent_close = if((now() - close_date) < (30*86400),"1","0") 
| where recent_close = 1 
| blah blah

If you need to convert close_date to epoch (with the eval strptime() function), do so before making the comparison to now()

Just make sure that you search for a wide enough time-range, and not just the last 30 days.

/k

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎09-08-2014 05:59 AM

Thanks!
/k

0 Karma
Reply
Solved! Jump to solution

jackreeves
Explorer
‎12-04-2017 04:57 AM

I am trying do something similar but struggling with adding the strptime () function.

My close_date field is in following format "2017/11/30", could you please advise 🙂

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎09-07-2014 11:47 PM

Hi /k, congrats to 20k karma 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...