Splunk Search

Need to get events created in last 30days

vijaya5
Engager

Hi,

I am trying to fetch splunk events that are created in last 30days for below query, by selecting time range as last 30days.
But i am getting all time events itseems for this query. Please suggest

Query used:
index=servicenow eventtype=snow_change* sourcetype="snow:change_request" (change_state_name="Work Complete" OR change_state_name=Closed) earliest=-30d@d
| dedup number | eval diff=strptime(dv_work_end,"%Y-%m-%d %H:%M:%S")-strptime(dv_work_start,"%Y-%m-%d %H:%M:%S")
| eval Downtime=round((diff/60),3)
| table number Downtime host dv_work_start dv_work_end

SPlunk Evets o/p:
Complete 1,285 events (1/28/20 12:00:00.000 AM to 2/27/20 5:30:31.555 PM) No Event Sampling Job Smart Mode
Events
Patterns
Statistics (1,285)
Visualization
100 Per Page
Format
Preview
Prev1...3456789...Next
number Downtime host dv_work_start dv_work_end
number Downtime host dv_work_start dv_work_end
CHG0129357 300.000 kmci4odw2023 2020-01-19 21:00:00 2020-01-20 02:00:00
CHG0129566 120.000 kmci4odw2023 2020-01-19 23:30:00 2020-01-20 01:30:00
CHG0129494 99.250 kmci4odw2023 2020-01-19 23:48:54 2020-01-20 01:28:09
CHG0129795 4320.367 kmci4odw2023 2020-01-20 10:55:10 2020-01-23 10:55:32
CHG0129116 1110.000 kmci4odw2023 2020-01-20 13:00:00 2020-01-21 07:30:00
CHG0129536 1380.000 kmci4odw2023 2020-01-20 13:30:00 2020-01-21 12:30:00
CHG0129632 88.250 kmci4odw2023 2020-01-20 15:05:04 2020-01-20 16:33:19
CHG0129634 120.000 kmci4odw2023 2020-01-20 16:15:00 2020-01-20 18:15:00
CHG0129585 120.000 kmci4odw2023 2020-01-20 17:00:00 2020-01-20 19:00:00
CHG0129389 155.100 kmci4odw2023 2020-01-20 22:30:25 2020-01-21 01:05:31
CHG0129593 0.000 kmci4odw2023 2020-01-20 23:30:00 2020-01-20 23:30:00
CHG0129647 90.667 kmci4odw2023 2020-01-21 04:30:00 2020-01-21 06:00:40
CHG0129323 1440.000 kmci4odw2023 2020-01-21 07:00:00 2020-01-22 07:00:00
CHG0128642 60.000 kmci4odw2023 2020-01-21 09:00:00 2020-01-21 10:00:00
CHG0129555 151.300 kmci4odw2023 2020-01-21 09:00:25 2020-01-21 11:31:43
CHG0128772 90.000 kmci4odw2023 2020-01-21 09:30:00 2020-01-21 11:00:00
CHG0129613 1440.000 kmci4odw2023 2020-01-21 09:30:00 2020-01-22 09:30:00
CHG0129234 1440.000 kmci4odw2023 2020-01-21 09:30:00 2020-01-22 09:30:00
CHG0129955 10080.000 kmci4odw2023 2020-01-21 09:55:51 2020-01-28 09:55:51
CHG0129650 57.800 kmci4odw2023 2020-01-21 10:00:00 2020-01-21 10:57:48
CHG0128646 120.000 kmci4odw2023 2020-01-21 10:00:00 2020-01-21 12:00:00
CHG0129667 1230.000 kmci4odw2023 2020-01-21 13:00:00 2020-01-22 09:30:00
CHG0128650 3120.000 kmci4odw2023 2020-01-21 13:00:00 2020-01-23 17:00:00
CHG0129676 120.000 kmci4odw2023 2020-01-21 13:15:00 2020-01-21 15:15:00
CHG0129461 119.500 kmci4odw2023 2020-01-21 13:30:30 2020-01-21 15:30:00
CHG0129446 60.000 kmci4odw2023 2020-01-21 16:00:00 2020-01-21 17:00:00
CHG0129292 50.000 kmci4odw2023 2020-01-21 17:00:00 2020-01-21 17:50:00
CHG0129679 35.000 kmci4odw2023 2020-01-21 17:20:00 2020-01-21 17:55:00
CHG0129709 420.000 kmci4odw2023 2020-01-21 19:00:00 2020-01-22 02:00:00
CHG0129526 167.917 kmci4odw2023 2020-01-21 21:00:00 2020-01-21 23:47:55
CHG0129677 180.000 kmci4odw2023 2020-01-21 21:30:00 2020-01-22 00:30:00
CHG0129646 40.183 kmci4odw2023 2020-01-21 23:35:37 2020-01-22 00:15:48
CHG0129567 296.883 kmci4odw2023 2020-01-22 00:25:57 2020-01-22 05:22:50
CHG0129417 1450.000 kmci4odw2023 2020-01-22 07:00:00 2020-01-23 07:10:00
CHG0129295 10.000 kmci4odw2023 2020-01-22 07:00:00 2020-01-22 07:10:00

Labels (2)
Tags (1)
0 Karma
1 Solution

to4kawa
Ultra Champion
....
| where relative_time(_time,"-30d@d") <= strptime(dv_work_start,"%Y-%m-%d %H:%M:%S")

View solution in original post

0 Karma

to4kawa
Ultra Champion
....
| where relative_time(_time,"-30d@d") <= strptime(dv_work_start,"%Y-%m-%d %H:%M:%S")
0 Karma

somesoni2
SplunkTrust
SplunkTrust

The timerange you apply on the search works based on the field "_time" which denotes when the event occurred.
In your results, the dates you see are different timestamp field and not _time. Those timestamp fields (dv_work_start dv_work_end) may not be related to the _time field (they're not per your data), hence you see variety of dates.

I would suggest to check the timestamp parsing of your sourcetype to see what time is being considered as time. If possible update your sourcetype to use one of `dv_work*` field so that you can filter based on that.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...