Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Previous month search based on now

antonio147
Communicator
‎11-13-2020 09:20 AM

Hi everyone,
I'm new to Splunk and trying to create a simple report, but I'm already having trouble.
I would like to do a search on a DATA_ACA field that contains dates in this format: 2020-11-13 15:10:23.
The search must return all those events that have the previous month in the DATA_ACA field, therefore all the events that have: 2020-10- *

I tried with
index=........
| eval month_aca = strptime (relative_time (now (), "- 1mon @ d") "% m)
| eval year_aca = strptime (relative_time (now (), "- 1mon @ d") "% Y)
| eval data_aca = year_aca. "-". month_aca. "- *"
| search DATA_ACA = data_aca
.....

....
| table DATA_ACA, month_aca, year_aca, data_aca

but nothing returns me no event.
You can help me?

Do you have any suggestions ?
Tks
Bye
Antonio

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-13-2020 12:05 PM

Try converting DATA_ACA into epoch form and then comparing it to the first and last days of the month.

index=foo
| eval aca_epoch = strptime(DATA_ACA, "%Y-%m-%d")
| where (aca_epoch >= relative_time(now(), "-1mon@mon")
  AND aca_epoch < relative_time(now(), "@mon"))
| table DATA_ACA

If you want to keep the current query, be aware that the search command treats the RHS as a string.  Use the where command to compare a field to another field.

index=........
| eval month_aca = strptime (relative_time (now (), "- 1mon @ d") "% m)
| eval year_aca = strptime (relative_time (now (), "- 1mon @ d") "% Y)
| eval data_aca = year_aca. "-". month_aca. "- *"
| where DATA_ACA = 'data_aca'
.....

....
| table DATA_ACA, month_aca, year_aca, data_aca

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

antonio147
Communicator
‎11-13-2020 12:35 PM

Hi richgalloway,
Thanks for the reply.
A doubt, if I use your suggestion converting to epoch, if now is for example November 12th, where would it take from October 12th to November 11th correct?
I need to extract all the October events from 1st to 31st, without any November day.
So for each month, on any day I launch the query, I always have to take only all the days of the previous month.

In any case, thanks, tomorrow I will try your suggestions and let you know the outcome.
Bye
Antonio

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-13-2020 01:33 PM

The "@mon" argument means "the beginning of the current month", which is 1st Nov in our context.  So, when the SPL says "aca_epoch < relative_time(now(), "@mon")" it's accepting dates up to 31 Oct 2020 23:59:59.  That's what's desired, right?

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

antonio147
Communicator
‎11-14-2020 06:52 AM

yes and just that
Thank you so much

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-13-2020 12:05 PM

Try converting DATA_ACA into epoch form and then comparing it to the first and last days of the month.

index=foo
| eval aca_epoch = strptime(DATA_ACA, "%Y-%m-%d")
| where (aca_epoch >= relative_time(now(), "-1mon@mon")
  AND aca_epoch < relative_time(now(), "@mon"))
| table DATA_ACA

If you want to keep the current query, be aware that the search command treats the RHS as a string.  Use the where command to compare a field to another field.

index=........
| eval month_aca = strptime (relative_time (now (), "- 1mon @ d") "% m)
| eval year_aca = strptime (relative_time (now (), "- 1mon @ d") "% Y)
| eval data_aca = year_aca. "-". month_aca. "- *"
| where DATA_ACA = 'data_aca'
.....

....
| table DATA_ACA, month_aca, year_aca, data_aca

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

antonio147
Communicator
‎11-14-2020 06:50 AM

Hi richgalloway,
your suggestion was very valuable,
with the where and with
| eval aca_epoch = strptime (DATA_ACA, "% Y-% m-% d")
| where (aca_epoch> = relative_time (now (), "-1mon @ mon")
AND aca_epoch <relative_time (now (), "@mon"))
it worked the first time.
Also thanks for your explanations, I did not know that @mon took the first day of the month, I thought it was only referring to the number of days / months back or forward.
I understood that the search refers to strings while the where to the content of a field.
I have a question to ask: what is the difference between where and search if both are used as a comparison?
soo for the above or is there more?

and if instead of now (), I wanted to use a date of my choice, how should I put it?
Just replace now () with "2020-09-27" for example?
Thanks again for the tip
a nice we
Antonio

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...