Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to see 30 days before and 30 days after a date dynamic?

renanprado96
Path Finder
‎03-14-2016 06:48 AM

how I do it?
I want to see 30 days before and 30 days after a date.
If I put "03/03/2016," the system will look for 30 days before and 30 days after the date that I put.
The date "03/03/2016" will not be default, but Dynamic.
But I always have to search data 30 days before and 30 days after the date I choose
Thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-14-2016 07:25 AM

You can use subsearch to achieve this. See this run anywhere sample search

Update
adding missing table command in the subsearch

index=_internal sourcetype=splunkd [| gentimes start=-1 | eval inputDate=strptime("01/01/2016", "%m/%d/%Y") | eval earliest=relative_time(inputDate,"-30d@d")  | eval latest=relative_time(inputDate,"+30d@d")  | table earliest latest ] | timechart span=1d count

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dennisaraujo
Path Finder
‎03-15-2016 12:30 PM

Hello friends,

Here it worked like this:

index=test [| gentimes start=-1 | eval inputDate=strptime("12/20/2015", "%m/%d/%Y") | eval earliest=relative_time(inputDate,"-30d@d") | eval latest=relative_time(inputDate,"+30d@d") | fields earliest, latest | format "(" "(" " " ")" "OR" ")" ] | timechart span=1d count

Thank you my friends.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-14-2016 07:25 AM

You can use subsearch to achieve this. See this run anywhere sample search

Update
adding missing table command in the subsearch

index=_internal sourcetype=splunkd [| gentimes start=-1 | eval inputDate=strptime("01/01/2016", "%m/%d/%Y") | eval earliest=relative_time(inputDate,"-30d@d")  | eval latest=relative_time(inputDate,"+30d@d")  | table earliest latest ] | timechart span=1d count
0 Karma
Reply
Solved! Jump to solution

renanprado96
Path Finder
‎03-14-2016 10:44 AM

This error occurred:
Unable to parse 1457924399 with format: %m/%d/%Y:%H:%M:%S
The search job has failed due to an error. You may be able view the job in the Job Inspector

Thanks!

0 Karma
Reply
Solved! Jump to solution

renanprado96
Path Finder
‎03-14-2016 11:15 AM

Human readable form
index=_internal sourcetype=splunkd [| gentimes start=-1 | eval inputDate=strptime("02/02/2016", "%m/%d/%Y") | eval earliest=relative_time(inputDate,"-30d@d") | eval latest=relative_time(inputDate,"+30d@d") ] | timechart span=1d count
Thanks for attention.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-14-2016 11:39 AM

I missed the table command in the subsearch. Please try the updated answer.

0 Karma
Reply
Solved! Jump to solution

renanprado96
Path Finder
‎03-15-2016 11:40 AM

This was the return:
Error in 'search' command: Unable to parse the search: "AND" operator is missing the clause on the left hand side.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
It did not work when you created the table "table earliest latest".
Already tried with the operator "AND" and used "," not worked.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-15-2016 11:48 AM

Try this

 index=_internal sourcetype=splunkd [| gentimes start=-1 | eval inputDate=strptime("01/01/2016", "%m/%d/%Y") | eval earliest=relative_time(inputDate,"-30d@d")  | eval latest=relative_time(inputDate,"+30d@d")  | table earliest latest  | format "" "" "" "" "" ""] | timechart span=1d count
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-14-2016 10:47 AM

Can you post the query that you tried? Are you putting the data value in epoch OR human readable form?

0 Karma
Reply
Solved! Jump to solution

renanprado96
Path Finder
‎03-14-2016 11:16 AM

Human readable form
index=_internal sourcetype=splunkd [| gentimes start=-1 | eval inputDate=strptime("02/02/2016", "%m/%d/%Y") | eval earliest=relative_time(inputDate,"-30d@d") | eval latest=relative_time(inputDate,"+30d@d") ] | timechart span=1d count
Thanks for attention.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...