Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help searching dataset with a date field

solaced
Explorer
‎11-25-2021 07:44 PM

Hi I'm looking to search a dataset to returns entries from yesterday's date based off a date field which has been converted as such (from another job):  | eval event_time = now() | convert ctime(event_time) 

The value is stored as 11/24/2021 22:28

Please assist how to search and return this value using a yesterday variable?

I hope that makes sense, forgive me I'm still learning.

 

To illustrate,  manually entering eventDate="11/24" works, but not sure how to get a 'yesterday' to work with the dataset.

| inputlookup thisDataset.csv | search eventDate="11/24*"
| sort Brand, eventDate
| iplocation clientip
| table _time Brand clientip City Region count eventDate

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-25-2021 09:08 PM

In such case it makes sense to use a subquery. For example:

| inoutlookup your.csv | search 
 [ | makeresults 
   | eval d=now()-86400
   | eval eventDate=strftime("%i %never %remember %these",d)
   | fields eventDate ]

 

Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-25-2021 10:57 PM

Here

 

| eval eventDate=strftime(d, "%d/%m/%Y")

 

If needed you can concatenate * to end of the string.

And bookmark to that page

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables 

Another link to commands

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands

 

Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-25-2021 11:05 PM

Thanks. Had I been wrtiting this on my computer I'd surely check the timespecs. But in the morning I usually answer on my tablet while walking the dog 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...