Hello, I need a help with a search that seems very easy, but I'm unable to achieve the results I want. The events are recieved in diferrent days, but no more than 3 days and the date is in the field event.Date. The date format is "yyyy-mm-ddT00:00:00". What I need is to search for all the events within the 3 days and then filter by the date. So i've tried the following search: index=something daysago=3 | eval dayOfSearch = strftime(relative(now(), "-2d@d"), "%Y-%m-%dT%H:%M:%S") | search event.Date = dayOfSearch It does not result to what I was expecting, but if I run the search replacing the variable dayOfsearch with the actual date, like "2021-09-05T00:00:00" it works. What am I doing wrong or is that I better way to achieve this results?   Thank you! ... View more

Hey Guys, this is a continuation of the below topic: https://community.splunk.com/t5/Splunk-Search/Search-query-to-remove-results-from-another-source/m-p/564733#M196718 As you can see from my question before, I thoug I only needed the last event from the same Identification - and if this was the case, the dedup would work fine - but it turns out I need all the events for that ID that comes after the DELETED message.   To get the info, I'm running the following search:     index=xpto (source= inserted OR source=deleted) data.Date="2021-08-25T00:00:00" data.Identification=11894 | sort 0 -data.Timestamp | fillnull value="INSERTED" data.Action | table id data.Action data.Identification       And it returns me the following:     id data.Action data.Identification 8941786c-ab05-46a7-9610-e1d5ee135df7 INSERTED 11894 7232b292-4665-416f-a867-8eac88051b5b INSERTED 11894 901607ac-5c28-4da2-996e-4c6a6b4995f8 INSERTED 11894 2cf1ecd8-dff3-4602-8106-9877ef2d1104 DELETED 11894 b7255bf1-14a9-44f6-899f-12f83c6be6f9 DELETED 11894 392fca7c-18b1-4953-8300-39ff9768033a DELETED 11894 08e49dbd-f0d8-4ca0-897f-6a3ac3ee54cb INSERTED 11894 27c05aa4-6bf0-4a7a-87bf-3d1c90774cc7 DELETED 11894       My goal and help needed is to get all the events that come after the DELETED, in this case, the first 3 events of the search(as this is sorted by Timestamp). Of course it's not always the first 3 as this may vary. Any ideas how I can achieve that?   Thank you! ... View more

I have the following sourcers: "inserted" and "deleted" In the "inserted" i have these fields: Id, Timestamp 1, 2021-08-18T19:39:31.3003273 2, 2021-08-18T02:25:05.786293 3, 2021-08-18T19:39:31.301158 etc.... In the "deleted" I have the same fields: Id, Timestamp 1, 2021-08-18T19:39:31.3003234 1, 2021-08-18T19:28:00.8425431 1, 2021-08-18T19:27:07.2603396 2, 2021-08-18T18:57:52.3556542 2, 2021-08-18T15:06:19.3365628 3, 2021-08-18T15:06:02.5264226 3, 2021-08-18T12:06:29.5371453 3, 2021-08-18T11:55:40.7562728 3, 2021-08-18T03:22:06.3672773 I need to filter the events in the 'inserted' that are newer than in the 'deleted', where the Id's are the same in both sourcers and the timestamp in the 'inserted' is greater than the Timestamp in the 'deleted'. I've managed to set up a search for one ID and manually setting the last timestamp that I found in the 'deleted', as per below:     index=something source=inserted Id=1 | eval data_inserted = strptime('Timestamp', "%Y-%m-%dT%H:%M:%S.%Q") | eval data_deleted = "2021-08-18T19:39:31.3003234" | eval data_deleted = strptime('data_deleted', "%Y-%m-%dT%H:%M:%S.%Q") | where data_inserted > data_deleted     My goal and help needed is on how to do this automatically for the IDs and Timestamp I have in the source='deleted'. Your help is very much appreciated. Thank you! ... View more