Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I want to exclude events before a certain date ( not timestamp).

PC00128849
New Member
‎09-14-2019 11:24 AM

Lets say i have a column called as birthdate in my events and i do not want to see the events or birth records which are before 01.01/2015. can somebody help me to do this?

Tags (1)
0 Karma
Reply

maciep
Champion
‎09-14-2019 02:56 PM

You should be able to use strptime to convert to epoch and then do the check. So let's say your birthday field is in the a mm-dd-yyyy format...

your base search
| eval bd_epoch = strptime(birthday,"%m-%d-%Y"), bd_earliest_epoch = strptime("01-01-2015","%m-%d-%Y")
| where bd_epoch >= bd_earliest_epoch
0 Karma
Reply

PC00128849
New Member
‎09-23-2019 10:04 PM

| rename "Checkin Date" as Cdate
|eval epochdate=strptime(Cdate, "%d.%m.%Y")
| eval c_time=strftime(epochdate,"%d-%m-%Y")
| eval bd_earliest_epoch = strptime("05-04-2017","%d-%m-%Y")
| eval p_time=strftime(bd_earliest_epoch,"%d-%m-%Y")
| where (c_time < p_time)
| table ItemName c_time p_time

This is not returning expected values.

below are the result events

ItemName c_time p_time
Project_2 04-08-2019 05-04-2017
VAR_T_IB 01-04-2019 05-04-2017
VAR_ItemConfig_IB 02-01-2019 05-04-2017
VAR_Item_VAR 02-01-2017 05-04-2017

Ideally it should have only shown my last event. but it shows even bigger dates that 05-04-2017

0 Karma
Reply

maciep
Champion
‎09-25-2019 05:09 AM

ah, looks like you're comparing strings not timestamps, so splunk is going to compare them as strings. Either compare the epochs or reformat the date strings to a format that will work with a string compare, e.g. Year-Month-Date.

i'd go with epoch first at least, maybe this?

.... | where epochdate < bd_earliest_epoch | ....
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...