Re: how to search events in the last 24 hours from...

dboyer313 · ‎11-14-2017

Hello - This should be a pretty simple search but I am new to Splunk.

I want to search events that have occurred in the last 24 hours according from the time stamp in the log field rather than the standard splunk presets. For example, my AV index has a found_date field with unique time stamps. How would I search those events based on the last 24 hours?

Thanks in advance!

keshavkgupta · ‎07-22-2021

@gcusello

@dboyer313

I am having same issue. Not able to get any records when i use below query.

your_search earliest=-25h latest now 
| eval found_date=strptime(found_date,"your time format"), start_time=relative_time(now(),"-24h")
| search found_date>start_time
| ...

Please let me know if got an answer for this.

gcusello · ‎11-14-2017

Hi dboyer313,
why don't you use found_date AS timestamp. it's easy to manage?
Anyway the problem is that you must set a Time period and you could have events with found_date in the last 24 hours and timestamp outside it, but at the same time, you cannot use a too large time period because your search will be very slow!
So you should try something like this:

your_search earliest=-25h latest now 
| eval found_date=strptime(found_date,"your time format"), start_time=relative_time(now(),"-24h")
| search found_date>start_time
| ...

I used -25h as time period, fixing that in the last 25 hours you have all the events with found_date in the last 24 hours, and this is to check.

Bye.
Giuseppe

how to search events in the last 24 hours from a specified field

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!