Solved: Re: filter time for specific range

neethan · ‎01-03-2022

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") |
| bin _time span=1d

here _ time is giving complete data, i want to filter it for one month i.e.. 30days. I tried relative_time, but its giving only for specific day

neethan · ‎01-05-2022

Thanks for all your help, i modified base search as below and it worked

| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| where (opened_time <= relative_time(now(),"@d")) AND (opened_time >= relative_time(now(),"-30d@d"))

View solution in original post

neethan · ‎01-05-2022

Thanks for all your help, i modified base search as below and it worked

| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| where (opened_time <= relative_time(now(),"@d")) AND (opened_time >= relative_time(now(),"-30d@d"))

neethan · ‎01-05-2022

the query you ave given is not working.

I did include earliest in my base search, but still it gives old data. Not sure from where its picking

index="ab" source_name=xy platformName=REDHAT earliest=-24h
| table hostName, source_name, hasAppBlueprints | rename hostName as hostname
| join type=inner max=0 hostname [ search
index=abc source_name=xyz earliest=-21d | dedup incident_number
| rex field=transfer_description "found as (?<correct_host>[a-zA-Z0-9\-]+) "
| rename configuration_item as hostname
| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| table hostname, alert_id, incident_number, correct_host, opened_time
| eval hostname=case(match(hostname, ".* .*"), correct_host, 1==1, hostname) ]
| table hostname, alert_id, incident_number, source_name, opened_time, hasAppBlueprints

neethan · ‎01-03-2022

here _time> condition will print sep, oct,nov values as well, but my requirement is to print only previous months

| savedsearch cbp_inc_base 
| eval _time=strftime(opened_time, "%Y/%m/%d") 
| where (_time<relative_time(now(),"-3d@d") AND _time>relative_time(now(),"-30d@d"))
| bin _time span=1d

neethan · ‎01-03-2022

I am getting data like this, but i want data only for previous 30days

_time false true

1	2021/07/21	1	0
2	2021/10/04	1	0
3	2021/10/14	2	0
4	2021/11/04

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") |eval _time = if(_time<relative_time(now(),"-3d@d") AND _time>relative_time(now(),"-30d@d"))
| bin _time span=1d /// this errors

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") |eval _time<relative_time(now(),"-3d@d") /// this gives data for that particular day i.e. Dec 31st data

ITWhisperer · ‎01-04-2022

Why are you converting _time to a string (strftime) then comparing to a numeric value (relative_time)? Try doing your comparisons before you convert _time to a string.

richgalloway · ‎01-03-2022

You were close! The eval command assigns a value to a field. To filter events based on field values, use the where command.

| savedsearch cbp_inc_base 
| eval _time=strftime(opened_time, "%Y/%m/%d") 
| where (_time<relative_time(now(),"-3d@d") AND _time>relative_time(now(),"-30d@d"))
| bin _time span=1d

---
If this reply helps you, Karma would be appreciated.

neethan · ‎01-03-2022

here _time> condition will print sep, oct,nov values as well, but my requirement is to print only previous months

| savedsearch cbp_inc_base 
| eval _time=strftime(opened_time, "%Y/%m/%d") 
| where (_time<relative_time(now(),"-3d@d") AND _time>relative_time(now(),"-30d@d"))
| bin _time span=1d

isoutamo · ‎01-03-2022

Hi

you should replace where with this

| where (_time <= relative_time(now(),"@mon")) AND (_time >= relative_time(now(),"-1mon@mon"))

Of course it will be best if you can add this already on search from index phase as earliest=.... AND latest=... that was the most efficient way to do the query.

r. Ismo

And just like @ITWhisperer said, don't convert _time. Splunk UI will do that conversion when needed automatic. So just drop that eval _time = strftime... from there.

neethan · ‎01-04-2022

the query you ave given is not working.

I did include earliest in my base search, but still it gives old data. Not sure from where its picking

index="ab" source_name=xy platformName=REDHAT earliest=-24h
| table hostName, source_name, hasAppBlueprints | rename hostName as hostname
| join type=inner max=0 hostname [ search
index=abc source_name=xyz earliest=-21d | dedup incident_number
| rex field=transfer_description "found as (?<correct_host>[a-zA-Z0-9\-]+) "
| rename configuration_item as hostname
| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| table hostname, alert_id, incident_number, correct_host, opened_time
| eval hostname=case(match(hostname, ".* .*"), correct_host, 1==1, hostname) ]
| table hostname, alert_id, incident_number, source_name, opened_time, hasAppBlueprints

richgalloway · ‎01-03-2022

Please tell us more about your use case and what you've tried so far. When do the 30 days begin and end? Is opened_time the start or end of the month? What did you try with relative_time?

---
If this reply helps you, Karma would be appreciated.

filter time for specific range

eval

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...