Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search based on the the time field from the event?

bhuvanabala
New Member
‎06-17-2019 11:42 PM

Hi Team,

I am having field called expirationdatetime in my event and its format is 2019-06-21T06:08:40.220082Z. My requirement is to get the count of users whose request going to expire in next 2 days.

Built a search - index="XXX" sourcetype="RRR" expirationdatetime=now+2d

When i hit the above expression, i didnt get any events.

Help on this

0 Karma
Reply

DavidHourani
Super Champion
‎06-18-2019 12:09 PM

Hi @bhuvanabala,

This should do the trick :

index="XXX" sourcetype="RRR" 
|eval expirationdatetime=strptime(expirationdatetime,"%Y-%m-%dT%H:%M:%S.%Q") 
|where expirationdatetime < relative_time(now(), "-+2d")

Let me know if it helps.

Cheers,
David

0 Karma
Reply

pramit46
Contributor
‎06-18-2019 12:46 AM

@bhuvanabala,

Does this help?

| makeresults 
| eval time_given="2019-06-20T06:08:40.220082Z" 
| eval time_given_in_epoch_format=strptime(time_given,"%Y-%m-%dT%H:%M:%S.%Q") 
| eval time_2_days_from_now=relative_time(now(),"+2d") 
| eval time_2_days_from_now_human_readable=strftime(time_2_days_from_now,"%Y-%m-%d %H:%M:%S.%Q")
| eval breach=if(time_given_in_epoch_format>=time_2_days_from_now,1,0)
|table breach
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...