Re: Help searching dataset with a date field

solaced · ‎11-25-2021

Hi I'm looking to search a dataset to returns entries from yesterday's date based off a date field which has been converted as such (from another job): | eval event_time = now() | convert ctime(event_time)

The value is stored as 11/24/2021 22:28

Please assist how to search and return this value using a yesterday variable?

I hope that makes sense, forgive me I'm still learning.

To illustrate, manually entering eventDate="11/24" works, but not sure how to get a 'yesterday' to work with the dataset.

PickleRick · ‎11-25-2021

In such case it makes sense to use a subquery. For example:

| inoutlookup your.csv | search 
 [ | makeresults 
   | eval d=now()-86400
   | eval eventDate=strftime("%i %never %remember %these",d)
   | fields eventDate ]

isoutamo · ‎11-25-2021

Here

| eval eventDate=strftime(d, "%d/%m/%Y")

If needed you can concatenate * to end of the string.

And bookmark to that page

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

Another link to commands

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands

PickleRick · ‎11-25-2021

Thanks. Had I been wrtiting this on my computer I'd surely check the timespecs. But in the morning I usually answer on my tablet while walking the dog 🙂

Help searching dataset with a date field

lookup

search job inspector

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!