Trying to limit results by date

declan294 · ‎05-13-2017

I am trying to filter results based on a search term (seen below) for only items that match a date from the time searched until the end of the year.

Trying to only receive results for accountExpires from date of search through 12/31/currentyear

Any help is appreciated

index=ad accountExpires=>{CurrentDate} OU="Contractor" accountExpires NOT "Never Expires" | dedup sAMAccountName | table sAMAccountName,accountExpires

woodcock · ‎05-17-2017

Like this:

index=ad OU="Contractor" accountExpires NOT "Never Expires" 
| dedup sAMAccountName
| eval accountExpires=strptime(accountExpires, "<<FormatOfDateInFieldaccountExpires>>")
| fieldformat accountExpires=strftime(accountExpires, "<<FormatOfDateInFieldaccountExpires>>")
| addinfo
| where accountExpires>=info_min_time AND accountExpires<=relative_time(now(), "@y")
| table sAMAccountName accountExpires

somesoni2 · ‎05-13-2017

May be like this

index=ad accountExpires>=[| gentimes start=-1 | eval query=strftime(now(),"<<FormatOfDateInFieldaccountExpires>>" | table search]  accountExpires<=[| gentimes start=-1 | eval query=strftime(relative_time(now(),"@y+1y"),"<<FormatOfDateInFieldaccountExpires>>" | table search] OU="Contractor" NOT "Never Expires" | dedup sAMAccountName | table sAMAccountName,accountExpires

Trying to limit results by date

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake