Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Problems using where command to compare times and filter results

rjashton
Engager
‎11-11-2021 08:29 AM

I'm having trouble with using the where command to compare times. The search that I'm running is this:

 

 

 

index=jamf sourcetype=JamfModularInput "computer.general.last_contact_time_epoch"=* "computer.general.last_contact_time_epoch"!=0| dedup computer.pagination.serial_number 
| rename computer.general.last_contact_time_epoch as checkinepoch  
| eval thirtydays=relative_time(now(),"-30d")
| rename computer.general.last_contact_time as "Last Check-In"
| where "thirtydays">"checkinepoch" 
| table thirtydays,checkinepoch,"Last Check-In"

 

The problem I have is that it returns no results with the where command being using less than (<), and then if I use greater than (>) it returns all of the results without filtering the ones that I want. Here is an example of the output with that search:Screen Shot 2021-11-11 at 16.19.28.png
As you can see I am getting results returned where checkinepoch is larger than thirtydays.

Does the where command treat the decimal in the thirtydays number as a multiplation operator (like x*y = xy)? The effect of this could be that it calculates that value as 1634051921 * 000000 = 0 

Super confused by this 😄 please help!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-11-2021 08:46 AM

Your epoch time is in milliseconds and your thirtydays is in seconds which is a factor of 1000 different - either multiply or divide one of them to get to the same units.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-11-2021 08:46 AM

Your epoch time is in milliseconds and your thirtydays is in seconds which is a factor of 1000 different - either multiply or divide one of them to get to the same units.

0 Karma
Reply
Solved! Jump to solution

rjashton
Engager
‎11-11-2021 08:54 AM

I knew I was doing something pretty silly but I just couldn't see! Thanks very much!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...