Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search improvement

ibmbaranski
Engager
‎07-26-2021 08:33 AM

Hi - looking for a more efficient way to do this, if anyone has any tips:

 

index=xyz sourcetype=abc NOT user_email=unauthenticated (user_email=*) | eval day=strftime(_time, "%Y%m%d") | search day=20210723 | ...

 

Basically, can I filter on _time for a specific day without doing the eval then filter, this seems like an inefficient way to query if I can somehow say dayOf(_time)='20201010' or something like that...

Labels (1)
Labels
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-26-2021 09:05 AM

@ibmbaranski 

You can filter events using earliest and latest filter. Can you please try this?

index=xyz sourcetype=abc NOT user_email=unauthenticated (user_email=*) [| makeresults | eval earliest=strptime("20210723", "%Y%m%d"),latest=relative_time(earliest, "+1d@d") | table earliest latest | format] | ...

 

KV 

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...