Re: Using Relative Time To Lookup New Hires Within...

payton_tayvion · ‎05-19-2021

I'm currently trying to create a search that look for employees hired within the last 3 months, but I keep getting all of the results. Here's the code:

| where _time >= relative_time(now(),"-3mon") 
| eval HR_STATUS=case(CGH_RITS_EMP_STAT="TE", "Terminated", CGH_RITS_EMP_STAT="AC","Active",CGH_RITS_EMP_STAT="LE", "Leave of Absence", CGH_RITS_EMP_STAT="PA", "Paid Leave of Absence", true(), "Other") 
| eval TYPE=case(CGH_RITS_EMP_CODE="E", "EMPLOYEE", CGH_RITS_EMP_CODE="C","CONSULTANT", true(), "Other") 
| eval Date=(strptime(ORIG_HIRE_DT,"%Y%m%d")) 
| eval Hire_Date=strftime(Date,"%m/%d/%Y") 
| table CGH_SOE_ID, FIRST_NAME, LAST_NAME, JOBTITLE, TYPE, EMAIL_ADDR, Hire_Date, ORIG_HIRE_DT, HR_STATUS 
| rename CGH_SOE_ID AS SOE_ID, EMPLID AS GEID 
| sort Hire_Date

ITWhisperer · ‎05-19-2021

Shouldn't the where clause be comparing the hire date not the timestamp of the event?

| eval HR_STATUS=case(CGH_RITS_EMP_STAT="TE", "Terminated", CGH_RITS_EMP_STAT="AC","Active",CGH_RITS_EMP_STAT="LE", "Leave of Absence", CGH_RITS_EMP_STAT="PA", "Paid Leave of Absence", true(), "Other") 
| eval TYPE=case(CGH_RITS_EMP_CODE="E", "EMPLOYEE", CGH_RITS_EMP_CODE="C","CONSULTANT", true(), "Other") 
| eval Date=(strptime(ORIG_HIRE_DT,"%Y%m%d")) 
| where Date >= relative_time(now(),"-3mon") 
| eval Hire_Date=strftime(Date,"%m/%d/%Y") 
| table CGH_SOE_ID, FIRST_NAME, LAST_NAME, JOBTITLE, TYPE, EMAIL_ADDR, Hire_Date, ORIG_HIRE_DT, HR_STATUS 
| rename CGH_SOE_ID AS SOE_ID, EMPLID AS GEID 
| sort Hire_Date

Using Relative Time To Lookup New Hires Within The Last 3 Months

eval

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?