Please help me with the search command that will o...

tejasbharadwaj · ‎06-13-2017

Hello,

Please help me with the below:-

1) search command that will only display the list of last 15 days events.
Example:- I have the date field called "opened_at" where dates are in (dd/mm/yyyy hh:mm) format and the data from 1st Jan 2017 to 13th June 2017 (today) . Using this "opened_at" field, I need to extract the list of last 15 days events i.e., events from 30th May - 13th June (today). So I would need a search command to get this result.

2) search command that will display the list of events from last 15 days to 30 days.
Example:- I have the date field called "opened_at" where dates are in (dd/mm/yyyy hh:mm) format and the data from 1st Jan 2017 to 13th June 2017 (today) . Using this "opened_at" field, I need to extract the list of events from last 15 days to 30 days i.e., events from 15th May - 30th May. So I would need a search command to get this result.

Please help!

horsefez · ‎06-13-2017

Hi,

I have tried to solve your problem. This answer might help you further into solving your question. Keep in mind, that there might be a more efficient solution for this.

I just used the splunk internal index _audit to simulate your setup.
Here is what I go so far, this is the solution for past 15 days (to apply this to past 15 to 30 days isn't that hard)

index=_audit | eval opened_at=strftime(_time,"%d/%m/%Y %H:%M") | rex field=opened_at "(?<day>\d+)\/(?<month>\d+)\/(?<year>\d+)" | eval range=day+month+year | eventstats max(range) AS latest_range | where range>latest_range-15 | table _time day month year range latest_range

Please help me with the search command that will only display the list of last 30 days events

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector