Splunk Search

Want to fetch data of 3 weeks, before any date and time entered

intelsubham
Explorer

Working on development of a form based dashboard where user will enter a date, and I want to fetch 3 weeks data before that date.so what should be the earliest and latest accordingly?

Example: suppose user entered 7/14/2014:00:00:00, data should be fetched for 3-weeks before that date.

Tags (3)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You could calculate the earliest_time in an eval-based macro like this:

index=foo sourcetype=bar earliest_time=`three_weeks_before($date$)` latest_time="$date$" | ...

With the macro three_weeks_before(1) defined like this:

relative_time(strptime("$date$", "%m/%d/%Y:%H:%M:%S"), "-3w")

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You could calculate the earliest_time in an eval-based macro like this:

index=foo sourcetype=bar earliest_time=`three_weeks_before($date$)` latest_time="$date$" | ...

With the macro three_weeks_before(1) defined like this:

relative_time(strptime("$date$", "%m/%d/%Y:%H:%M:%S"), "-3w")
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...