Splunk Search
Highlighted

How to use a date format as a filter in the base search

Motivator

Hi,

I have events with a timestamp_value=1477043785561
We can filter like this:

index=a sourcetype=logins timestampvalue<=1477008000

Is it possible to use a date format in the base search to filter?

Of course the following does not work, but perhaps something similar is possible so that I don't have to translate every filter into epochtime.

index=a sourcetype=logins timestampvalue<=2016-10-21

Best
Heinz

0 Karma
Highlighted

Re: How to use a date format as a filter in the base search

Legend

Try this

 index=a sourcetype=logins timestampvalue<=[| makeresults | eval search=strptime("2016-10-21", "%Y-%m-%d") | return search]

View solution in original post

0 Karma
Highlighted

Re: How to use a date format as a filter in the base search

Motivator

This does not work because of this error:

Error in 'search' command: Unable to parse the search: Comparator '=' has an invalid term on the left hand side.

I tried different adjustments but without success

0 Karma
Highlighted

Re: How to use a date format as a filter in the base search

Motivator

It seems that there was just missing a charachter

index=a sourcetype=logins timestampvalue<=[| makeresults | eval search=strptime("2016-10-21", "%Y-%m-%d") | return $search]

This works fine, thanks for this approach!
I assume that this does not have negative subsearch performance issues or subsearch limits, because it is only calcualting one single result?

0 Karma
Highlighted

Re: How to use a date format as a filter in the base search

Legend

It only calculates the servertime and returns one value, so should be any impact.

0 Karma
Highlighted

Re: How to use a date format as a filter in the base search

Champion

one more thought -
if timestampvalue and indextime are same, why not add timestampvalue to latest and try -
index=a sourcetype=logins earliest="10/01/2016:00:00:00" latest="10/21/2016:00:00:00"
by this, we can avoid the subsearch altogether.

0 Karma
Highlighted

Re: How to use a date format as a filter in the base search

Champion
 index=a sourcetype=logins | where ( timestampvalue <= [| makeresults | eval search=strptime("2016-10-21", "%Y-%m-%d") | return search] )
0 Karma
Highlighted

Re: How to use a date format as a filter in the base search

Motivator

How I understand it, this search will first load all events and filter afterwards. That's why I would like to have it in the base search before the first pipe

0 Karma
Highlighted

Re: How to use a date format as a filter in the base search

Champion

ok, lets try -
| makeresults | eval searchtime=strptime("2016-10-21", "%Y-%m-%d") | search index=a sourcetype=logins timestampvalue <= searchtime

0 Karma