Solved: Re: filter time for specific range

neethan · ‎01-03-2022

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") |
| bin _time span=1d

here _ time is giving complete data, i want to filter it for one month i.e.. 30days. I tried relative_time, but its giving only for specific day

neethan · ‎01-05-2022

Thanks for all your help, i modified base search as below and it worked

| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| where (opened_time <= relative_time(now(),"@d")) AND (opened_time >= relative_time(now(),"-30d@d"))

View solution in original post

neethan · ‎01-05-2022

Thanks for all your help, i modified base search as below and it worked

| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| where (opened_time <= relative_time(now(),"@d")) AND (opened_time >= relative_time(now(),"-30d@d"))

neethan · ‎01-05-2022

the query you ave given is not working.

I did include earliest in my base search, but still it gives old data. Not sure from where its picking

index="ab" source_name=xy platformName=REDHAT earliest=-24h
| table hostName, source_name, hasAppBlueprints | rename hostName as hostname
| join type=inner max=0 hostname [ search
index=abc source_name=xyz earliest=-21d | dedup incident_number
| rex field=transfer_description "found as (?<correct_host>[a-zA-Z0-9\-]+) "
| rename configuration_item as hostname
| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| table hostname, alert_id, incident_number, correct_host, opened_time
| eval hostname=case(match(hostname, ".* .*"), correct_host, 1==1, hostname) ]
| table hostname, alert_id, incident_number, source_name, opened_time, hasAppBlueprints

neethan · ‎01-03-2022

here _time> condition will print sep, oct,nov values as well, but my requirement is to print only previous months

| savedsearch cbp_inc_base 
| eval _time=strftime(opened_time, "%Y/%m/%d") 
| where (_time<relative_time(now(),"-3d@d") AND _time>relative_time(now(),"-30d@d"))
| bin _time span=1d

neethan · ‎01-03-2022

I am getting data like this, but i want data only for previous 30days

_time false true

1	2021/07/21	1	0
2	2021/10/04	1	0
3	2021/10/14	2	0
4	2021/11/04

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") |eval _time = if(_time<relative_time(now(),"-3d@d") AND _time>relative_time(now(),"-30d@d"))
| bin _time span=1d /// this errors

| savedsearch cbp_inc_base | eval _time=strftime(opened_time, "%Y/%m/%d") |eval _time<relative_time(now(),"-3d@d") /// this gives data for that particular day i.e. Dec 31st data

ITWhisperer · ‎01-04-2022

Why are you converting _time to a string (strftime) then comparing to a numeric value (relative_time)? Try doing your comparisons before you convert _time to a string.

richgalloway · ‎01-03-2022

You were close! The eval command assigns a value to a field. To filter events based on field values, use the where command.

| savedsearch cbp_inc_base 
| eval _time=strftime(opened_time, "%Y/%m/%d") 
| where (_time<relative_time(now(),"-3d@d") AND _time>relative_time(now(),"-30d@d"))
| bin _time span=1d

---
If this reply helps you, Karma would be appreciated.

neethan · ‎01-03-2022

here _time> condition will print sep, oct,nov values as well, but my requirement is to print only previous months

| savedsearch cbp_inc_base 
| eval _time=strftime(opened_time, "%Y/%m/%d") 
| where (_time<relative_time(now(),"-3d@d") AND _time>relative_time(now(),"-30d@d"))
| bin _time span=1d

isoutamo · ‎01-03-2022

Hi

you should replace where with this

| where (_time <= relative_time(now(),"@mon")) AND (_time >= relative_time(now(),"-1mon@mon"))

Of course it will be best if you can add this already on search from index phase as earliest=.... AND latest=... that was the most efficient way to do the query.

r. Ismo

And just like @ITWhisperer said, don't convert _time. Splunk UI will do that conversion when needed automatic. So just drop that eval _time = strftime... from there.

neethan · ‎01-04-2022

the query you ave given is not working.

I did include earliest in my base search, but still it gives old data. Not sure from where its picking

index="ab" source_name=xy platformName=REDHAT earliest=-24h
| table hostName, source_name, hasAppBlueprints | rename hostName as hostname
| join type=inner max=0 hostname [ search
index=abc source_name=xyz earliest=-21d | dedup incident_number
| rex field=transfer_description "found as (?<correct_host>[a-zA-Z0-9\-]+) "
| rename configuration_item as hostname
| eval opened_time=strptime(opened_time, "%b %d, %Y %H:%M:%S")
| table hostname, alert_id, incident_number, correct_host, opened_time
| eval hostname=case(match(hostname, ".* .*"), correct_host, 1==1, hostname) ]
| table hostname, alert_id, incident_number, source_name, opened_time, hasAppBlueprints

richgalloway · ‎01-03-2022

Please tell us more about your use case and what you've tried so far. When do the 30 days begin and end? Is opened_time the start or end of the month? What did you try with relative_time?

---
If this reply helps you, Karma would be appreciated.

filter time for specific range

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation