| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") |
| bin _time span=1d
here _ time is giving complete data, i want to filter it for one month i.e.. 30days. I tried relative_time, but its giving only for specific day
Thanks for all your help, i modified base search as below and it worked
| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| where (opened_time <= relative_time(now(),"@d")) AND (opened_time >= relative_time(now(),"-30d@d"))
Thanks for all your help, i modified base search as below and it worked
| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| where (opened_time <= relative_time(now(),"@d")) AND (opened_time >= relative_time(now(),"-30d@d"))
the query you ave given is not working.
I did include earliest in my base search, but still it gives old data. Not sure from where its picking
index="ab" source_name=xy platformName=REDHAT earliest=-24h
| table hostName, source_name, hasAppBlueprints | rename hostName as hostname
| join type=inner max=0 hostname [ search
index=abc source_name=xyz earliest=-21d | dedup incident_number
| rex field=transfer_description "found as (?<correct_host>[a-zA-Z0-9\-]+) "
| rename configuration_item as hostname
| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| table hostname, alert_id, incident_number, correct_host, opened_time
| eval hostname=case(match(hostname, ".* .*"), correct_host, 1==1, hostname) ]
| table hostname, alert_id, incident_number, source_name, opened_time, hasAppBlueprints
here _time> condition will print sep, oct,nov values as well, but my requirement is to print only previous months
| savedsearch cbp_inc_base
| eval _time=strftime(opened_time, "%Y/%m/%d")
| where (_time<relative_time(now(),"-3d@d") AND _time>relative_time(now(),"-30d@d"))
| bin _time span=1d
I am getting data like this, but i want data only for previous 30days
_time false true
1 | 2021/07/21 | 1 | 0 |
2 | 2021/10/04 | 1 | 0 |
3 | 2021/10/14 | 2 | 0 |
4 | 2021/11/04 |
| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") |eval _time = if(_time<relative_time(now(),"-3d@d") AND _time>relative_time(now(),"-30d@d"))
| bin _time span=1d /// this errors
| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") |eval _time<relative_time(now(),"-3d@d") /// this gives data for that particular day i.e. Dec 31st data
Why are you converting _time to a string (strftime) then comparing to a numeric value (relative_time)? Try doing your comparisons before you convert _time to a string.
You were close! The eval command assigns a value to a field. To filter events based on field values, use the where command.
| savedsearch cbp_inc_base
| eval _time=strftime(opened_time, "%Y/%m/%d")
| where (_time<relative_time(now(),"-3d@d") AND _time>relative_time(now(),"-30d@d"))
| bin _time span=1d
here _time> condition will print sep, oct,nov values as well, but my requirement is to print only previous months
| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") | where (_time<relative_time(now(),"-3d@d") AND _time>relative_time(now(),"-30d@d")) | bin _time span=1d
Hi
you should replace where with this
| where (_time <= relative_time(now(),"@mon")) AND (_time >= relative_time(now(),"-1mon@mon"))
Of course it will be best if you can add this already on search from index phase as earliest=.... AND latest=... that was the most efficient way to do the query.
r. Ismo
And just like @ITWhisperer said, don't convert _time. Splunk UI will do that conversion when needed automatic. So just drop that eval _time = strftime... from there.
the query you ave given is not working.
I did include earliest in my base search, but still it gives old data. Not sure from where its picking
index="ab" source_name=xy platformName=REDHAT earliest=-24h
| table hostName, source_name, hasAppBlueprints | rename hostName as hostname
| join type=inner max=0 hostname [ search
index=abc source_name=xyz earliest=-21d | dedup incident_number
| rex field=transfer_description "found as (?<correct_host>[a-zA-Z0-9\-]+) "
| rename configuration_item as hostname
| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| table hostname, alert_id, incident_number, correct_host, opened_time
| eval hostname=case(match(hostname, ".* .*"), correct_host, 1==1, hostname) ]
| table hostname, alert_id, incident_number, source_name, opened_time, hasAppBlueprints
Please tell us more about your use case and what you've tried so far. When do the 30 days begin and end? Is opened_time the start or end of the month? What did you try with relative_time?