Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Simulating SQL functions

ldeakm
Explorer
‎11-16-2011 04:15 PM

I am trying to simulate this type of date filter in splunk. Please help...

In SQL I use

select * from table where DATEADD (DD , -30 , getdate() ) > EventHappenedTimeStamp

I am simply looking for events that happened greater than 30 days ago.

Thanks!

Tags (1)
Reply

ldeakm
Explorer
‎11-18-2011 08:52 AM

Looks like I am on the right track here but i still cant seem to get this to work. The time format of the data field is 11/7/2011 2:14:45 PM. I am trying this query but it returns no results.

index=ad classPath="computer" | head 1 | where (strptime(other_timestamp_field,"%M/%D/%Y %H:%M:%S") < (now() - (86400 * 30))) | table cn,pwdLastSet

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎11-18-2011 09:09 AM

(A) you can always edit your original question. It "flows" better than appending an update to your question as a new answer to your question. Splunk Answers is rather unlike a web forum in that way.

(B) If pwdLastSet is the field that has your other timestamp in it, then that is what needs to be the first argument to strptime. Also, your strptime format string needs to match the timestamp format of the string. Otherwise it doesn't work. See my updated answer.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎11-16-2011 08:41 PM

So, you're trying to do a search where you're comparing the value of some OTHER timestamp field (other than the event's actual timestamp) against current time? Easiest thing to do is use time_t values, similar to:

sourcetype=foo | where (strptime(other_timestamp_field,"%Y%m%d %H:%M:%S") < (now() - (86400 * 30)))

We're taking advantage of strptime to parse the other timestamp field into a time_t. From there, now() represents the current time of when the search is ran. And there's 86,400 seconds in a day.

If I understand your requirement correctly, this should work pretty well.

UPDATE

With some more assumptions, like your timestamp field is formatted as 11/7/2011 2:14:45 PM and is named pwdLastSet

index=ad classPath="computer" | head 1 | where (strptime(pwdLastSet,"%M/%D/%Y %I:%M:%S %p") < (now() - (86400 * 30))) | table cn,pwdLastSet
Reply

ldeakm
Explorer
‎11-16-2011 07:44 PM

One of the things that make conversions between SQL and SPLUNK so difficult is that we tend to use the same terms but they mean very different things. I should have been more specific.

I am trying to simulate this type of date filter in splunk. Please help...

In SQL I use
select * from table where DATEADD (DD , -30 , getdate() ) > SomeTimeValueFromTheEvent

I am simply looking for data that is contained in the event (not the indexed time but time data in the event) so I can report on it. A great example is filtering out active directory records on the Password Last Set value. “30 days ago”

Thanks!

----------------------------------Update--------------------------------------------------------

The new query below does not seem to work either. The items I am using are out of box discovery functionality of SPLUNK. The data source is Active Directory. On the computer object there is a attribute called pwdLastSet. I am simply trying to filter for computer objects that have reset there passwords in the last 30 days.

Reply

joshd
Builder
‎11-16-2011 05:15 PM

just run whatever search it is you have and use latest=-30d@d ... this will only return results that are older than 30 days.

example:

search host=myhost sessionid=AAAA1111BBBB2222 latest=-30d@d
0 Karma
Reply

Takajian
Builder
‎11-16-2011 04:18 PM

I think you can specify the date very easily by splunk. Please take look at following manual.

http://docs.splunk.com/Documentation/Splunk/latest/User/ChangeTheTimeRangeOfYourSearch

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...