Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Please help me with the search command that will only display the list of last 30 days events

tejasbharadwaj
New Member
‎06-13-2017 12:15 AM

Hello,

Please help me with the below:-

1) search command that will only display the list of last 15 days events.
Example:- I have the date field called "opened_at" where dates are in (dd/mm/yyyy hh:mm) format and the data from 1st Jan 2017 to 13th June 2017 (today) . Using this "opened_at" field, I need to extract the list of last 15 days events i.e., events from 30th May - 13th June (today). So I would need a search command to get this result.

2) search command that will display the list of events from last 15 days to 30 days.
Example:- I have the date field called "opened_at" where dates are in (dd/mm/yyyy hh:mm) format and the data from 1st Jan 2017 to 13th June 2017 (today) . Using this "opened_at" field, I need to extract the list of events from last 15 days to 30 days i.e., events from 15th May - 30th May. So I would need a search command to get this result.

Please help!

Tags (1)
0 Karma
Reply

horsefez
Motivator
‎06-13-2017 09:37 AM

Hi,

I have tried to solve your problem. This answer might help you further into solving your question. Keep in mind, that there might be a more efficient solution for this.

I just used the splunk internal index _audit to simulate your setup.
Here is what I go so far, this is the solution for past 15 days (to apply this to past 15 to 30 days isn't that hard)

index=_audit | eval opened_at=strftime(_time,"%d/%m/%Y %H:%M") | rex field=opened_at "(?<day>\d+)\/(?<month>\d+)\/(?<year>\d+)" | eval range=day+month+year | eventstats max(range) AS latest_range | where range>latest_range-15 | table _time day month year range latest_range
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...