Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search based on the the time field from the event?

bhuvanabala
New Member
‎06-17-2019 11:42 PM

Hi Team,

I am having field called expirationdatetime in my event and its format is 2019-06-21T06:08:40.220082Z. My requirement is to get the count of users whose request going to expire in next 2 days.

Built a search - index="XXX" sourcetype="RRR" expirationdatetime=now+2d

When i hit the above expression, i didnt get any events.

Help on this

0 Karma
Reply

DavidHourani
Super Champion
‎06-18-2019 12:09 PM

Hi @bhuvanabala,

This should do the trick :

index="XXX" sourcetype="RRR" 
|eval expirationdatetime=strptime(expirationdatetime,"%Y-%m-%dT%H:%M:%S.%Q") 
|where expirationdatetime < relative_time(now(), "-+2d")

Let me know if it helps.

Cheers,
David

0 Karma
Reply

pramit46
Contributor
‎06-18-2019 12:46 AM

@bhuvanabala,

Does this help?

| makeresults 
| eval time_given="2019-06-20T06:08:40.220082Z" 
| eval time_given_in_epoch_format=strptime(time_given,"%Y-%m-%dT%H:%M:%S.%Q") 
| eval time_2_days_from_now=relative_time(now(),"+2d") 
| eval time_2_days_from_now_human_readable=strftime(time_2_days_from_now,"%Y-%m-%d %H:%M:%S.%Q")
| eval breach=if(time_given_in_epoch_format>=time_2_days_from_now,1,0)
|table breach
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...