Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Please help me with the search command that will only display the list of last 30 days events

tejasbharadwaj
New Member
‎06-13-2017 12:15 AM

Hello,

Please help me with the below:-

1) search command that will only display the list of last 15 days events.
Example:- I have the date field called "opened_at" where dates are in (dd/mm/yyyy hh:mm) format and the data from 1st Jan 2017 to 13th June 2017 (today) . Using this "opened_at" field, I need to extract the list of last 15 days events i.e., events from 30th May - 13th June (today). So I would need a search command to get this result.

2) search command that will display the list of events from last 15 days to 30 days.
Example:- I have the date field called "opened_at" where dates are in (dd/mm/yyyy hh:mm) format and the data from 1st Jan 2017 to 13th June 2017 (today) . Using this "opened_at" field, I need to extract the list of events from last 15 days to 30 days i.e., events from 15th May - 30th May. So I would need a search command to get this result.

Please help!

Tags (1)
0 Karma
Reply

horsefez
Motivator
‎06-13-2017 09:37 AM

Hi,

I have tried to solve your problem. This answer might help you further into solving your question. Keep in mind, that there might be a more efficient solution for this.

I just used the splunk internal index _audit to simulate your setup.
Here is what I go so far, this is the solution for past 15 days (to apply this to past 15 to 30 days isn't that hard)

index=_audit | eval opened_at=strftime(_time,"%d/%m/%Y %H:%M") | rex field=opened_at "(?<day>\d+)\/(?<month>\d+)\/(?<year>\d+)" | eval range=day+month+year | eventstats max(range) AS latest_range | where range>latest_range-15 | table _time day month year range latest_range
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...