Solved: Work with dates outside of timestamp

gnoellbn · ‎09-18-2013

Hello,

I'm trying to keep only results where the date in a field (unix time) is earlier than the previous month.

I've tried a couple of searches but I can't figure it out, this is the latest I found :

| where recentTime=relative_time(now(), "-mon")

Thanks 😉

lguinn2 · ‎09-18-2013

Try

| where recentTime < relative_time(now(),"-mon@mon")

or

| where recentTime < relative_time(now(),"-2mon@mon")

If the current month is September, the first clause will select only events prior to 1-Sep. The second will select only events prior to 1-Aug

View solution in original post

lguinn2 · ‎09-18-2013

Try

| where recentTime < relative_time(now(),"-mon@mon")

or

| where recentTime < relative_time(now(),"-2mon@mon")

If the current month is September, the first clause will select only events prior to 1-Sep. The second will select only events prior to 1-Aug

tweekes · ‎10-29-2013

Thank You!
You put me on the correct path. I needed the following.
sourcetype=qps | where strptime(last_updt_dtm,"%Y-%m-%d %H:%M:%S") < relative_time(now(),"-2mon@mon")

lguinn2 · ‎10-28-2013

You can't put a calculation like last_updt_dtm < relative_time(now(),"-2mon@mon") in the search string. Note in my answer that this was part of the where command. So your first search could be

sourcetype=qps | where last_updt_dtm < relative_time(now(),"-2mon@mon")

tweekes · ‎10-28-2013

I have 9999 events where the earliest one is:
last_updt_dtm = 2010-09-30 17:43:48

sourcetype=qps _time < now()

Returns all 9999

The following two searches fail
sourcetype=qps last_updt_dtm < relative_time(now(),"-2mon@mon")
sourcetype=qps _time < relative_time(now(),"-2mon@mon")

Any help would be much appreciated!
Thanks!

Work with dates outside of timestamp

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life