Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use a date format as a filter in the base search

HeinzWaescher
Motivator
‎10-21-2016 04:20 AM

Hi,

I have events with a timestamp_value=1477043785561
We can filter like this:

index=a sourcetype=logins timestampvalue<=1477008000

Is it possible to use a date format in the base search to filter?

Of course the following does not work, but perhaps something similar is possible so that I don't have to translate every filter into epochtime.

index=a sourcetype=logins timestampvalue<=2016-10-21

Best
Heinz

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-21-2016 04:23 AM

Try this

 index=a sourcetype=logins timestampvalue<=[| makeresults | eval search=strptime("2016-10-21", "%Y-%m-%d") | return search]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-21-2016 04:36 AM 
 index=a sourcetype=logins | where ( timestampvalue <= [| makeresults | eval search=strptime("2016-10-21", "%Y-%m-%d") | return search] )
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎10-21-2016 04:40 AM

How I understand it, this search will first load all events and filter afterwards. That's why I would like to have it in the base search before the first pipe

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-21-2016 04:48 AM

ok, lets try -
| makeresults | eval searchtime=strptime("2016-10-21", "%Y-%m-%d") | search index=a sourcetype=logins timestampvalue <= searchtime

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-21-2016 04:23 AM

Try this

 index=a sourcetype=logins timestampvalue<=[| makeresults | eval search=strptime("2016-10-21", "%Y-%m-%d") | return search]
0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎10-21-2016 04:32 AM

This does not work because of this error:

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side.

I tried different adjustments but without success

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎10-21-2016 04:47 AM

It seems that there was just missing a charachter

index=a sourcetype=logins timestampvalue<=[| makeresults | eval search=strptime("2016-10-21", "%Y-%m-%d") | return $search]

This works fine, thanks for this approach!
I assume that this does not have negative subsearch performance issues or subsearch limits, because it is only calcualting one single result?

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-21-2016 04:57 AM

one more thought -
if timestampvalue and indextime are same, why not add timestampvalue to latest and try -
index=a sourcetype=logins earliest="10/01/2016:00:00:00" latest="10/21/2016:00:00:00"
by this, we can avoid the subsearch altogether.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎10-21-2016 04:55 AM

It only calculates the servertime and returns one value, so should be any impact.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...