Trying to limit results by date

declan294 · ‎05-13-2017

I am trying to filter results based on a search term (seen below) for only items that match a date from the time searched until the end of the year.

Trying to only receive results for accountExpires from date of search through 12/31/currentyear

Any help is appreciated

index=ad accountExpires=>{CurrentDate} OU="Contractor" accountExpires NOT "Never Expires" | dedup sAMAccountName | table sAMAccountName,accountExpires

woodcock · ‎05-17-2017

Like this:

index=ad OU="Contractor" accountExpires NOT "Never Expires" 
| dedup sAMAccountName
| eval accountExpires=strptime(accountExpires, "<<FormatOfDateInFieldaccountExpires>>")
| fieldformat accountExpires=strftime(accountExpires, "<<FormatOfDateInFieldaccountExpires>>")
| addinfo
| where accountExpires>=info_min_time AND accountExpires<=relative_time(now(), "@y")
| table sAMAccountName accountExpires

somesoni2 · ‎05-13-2017

May be like this

index=ad accountExpires>=[| gentimes start=-1 | eval query=strftime(now(),"<<FormatOfDateInFieldaccountExpires>>" | table search]  accountExpires<=[| gentimes start=-1 | eval query=strftime(relative_time(now(),"@y+1y"),"<<FormatOfDateInFieldaccountExpires>>" | table search] OU="Contractor" NOT "Never Expires" | dedup sAMAccountName | table sAMAccountName,accountExpires

Trying to limit results by date

Video | Welcome Back to Smartness, Pedro

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...