Solved: Filtering out one field by time in a search

iiRajMahalii · ‎10-11-2021

I have a lookup table with a few fields (FirstSeenDate, LastSeenDate, IP, etc...). I have a search created to show me the top 10 events in the table by count. What I want to do is add a part in the search to filter out anything that is older than 90 days in the FirstSeenDate column.

richgalloway · ‎10-11-2021

To filter out events where FirstSeenDate is older than 10 days, insert this early in your query

| where strptime(FirstSeenDate, "%Y-%m-%d %H:%M:%S") < relative_time(now(), "-90d")

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-11-2021

To filter out events where FirstSeenDate is older than 10 days, insert this early in your query

| where strptime(FirstSeenDate, "%Y-%m-%d %H:%M:%S") < relative_time(now(), "-90d")

---
If this reply helps you, Karma would be appreciated.

iiRajMahalii · ‎10-11-2021

Thank you! That did the trick. I added this to the string right after the lookup.csv is being called.

iiRajMahalii · ‎10-11-2021

So far I just have it being listed as top 10 from the list.

The format of the FirstSeenDate is YYYY-mm-dd HH:MM:SS

I want to have the results give me the top 10 events by count which it already does but also filter the FirstSeenDate as only list the top 10 events from the last 3 months.

Thank you

richgalloway · ‎10-11-2021

That shouldn't be too difficult. What have you tried so far? What is the format of the FirstSeenDate field?

---
If this reply helps you, Karma would be appreciated.

Filtering out one field by time in a search

other

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms