Splunk Search

Using Relative Time To Lookup New Hires Within The Last 3 Months

payton_tayvion
Path Finder

I'm currently trying to create a search that look for employees hired within the last 3 months, but I keep getting all of the results. Here's the code:

 

 

 

| where _time >= relative_time(now(),"-3mon") 
| eval HR_STATUS=case(CGH_RITS_EMP_STAT="TE", "Terminated", CGH_RITS_EMP_STAT="AC","Active",CGH_RITS_EMP_STAT="LE", "Leave of Absence", CGH_RITS_EMP_STAT="PA", "Paid Leave of Absence", true(), "Other") 
| eval TYPE=case(CGH_RITS_EMP_CODE="E", "EMPLOYEE", CGH_RITS_EMP_CODE="C","CONSULTANT", true(), "Other") 
| eval Date=(strptime(ORIG_HIRE_DT,"%Y%m%d")) 
| eval Hire_Date=strftime(Date,"%m/%d/%Y") 
| table CGH_SOE_ID, FIRST_NAME, LAST_NAME, JOBTITLE, TYPE, EMAIL_ADDR, Hire_Date, ORIG_HIRE_DT, HR_STATUS 
| rename CGH_SOE_ID AS SOE_ID, EMPLID AS GEID 
| sort Hire_Date

 

 

 

 

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Shouldn't the where clause be comparing the hire date not the timestamp of the event?

| eval HR_STATUS=case(CGH_RITS_EMP_STAT="TE", "Terminated", CGH_RITS_EMP_STAT="AC","Active",CGH_RITS_EMP_STAT="LE", "Leave of Absence", CGH_RITS_EMP_STAT="PA", "Paid Leave of Absence", true(), "Other") 
| eval TYPE=case(CGH_RITS_EMP_CODE="E", "EMPLOYEE", CGH_RITS_EMP_CODE="C","CONSULTANT", true(), "Other") 
| eval Date=(strptime(ORIG_HIRE_DT,"%Y%m%d")) 
| where Date >= relative_time(now(),"-3mon") 
| eval Hire_Date=strftime(Date,"%m/%d/%Y") 
| table CGH_SOE_ID, FIRST_NAME, LAST_NAME, JOBTITLE, TYPE, EMAIL_ADDR, Hire_Date, ORIG_HIRE_DT, HR_STATUS 
| rename CGH_SOE_ID AS SOE_ID, EMPLID AS GEID 
| sort Hire_Date
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...