Is there a way in which we can filter the records ...

ursarun · ‎12-17-2014

I have a requirement where i have to filter the records fetched between 2 date times. How to include this filter criteria in the splunk query?

somesoni2 · ‎12-17-2014

Try using subsearch to set the earliest and latest for the Splunk search. Syntax of subsearch would be like this.
Syntax:

[| gentimes start=-1 | eval earliest=strptime("YourStartDateInHumanReadableFormat","FormatOfYourDate") | eval latest=strptime"YourEndDateInHumanReadableFormat","FormatOfYourDate") | table earliest,latest | format]

Usage:

your base search  .. [| gentimes start=-1 | eval earliest=strptime("YourStartDateInHumanReadableFormat","FormatOfYourDate") | eval latest=strptime"YourEndDateInHumanReadableFormat","FormatOfYourDate") | table earliest,latest | format]...| rest of the search

If using in dashboard, you can use token in place of "YourStartDateInHumanReadableFormat" and "YourEndDateInHumanReadableFormat".

aweitzman · ‎12-17-2014

You'll need to convert the datetime field to an epochtime filed using convert's mktime() function:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert

Do the same for your beginning and ending datetimes, and then filter using the comparison:

...your search...
| convert timeformat="%Y-%m-%d %H:%M:%S" mktime(fieldtime) as fieldepoch
| eval begintime="2014-01-01 00:00:00"
| eval endtime="2014-12-31 23:59:59"
| convert timeformat="%Y-%m-%d %H:%M:%S" mktime(begintime) as beginepoch
| convert timeformat="%Y-%m-%d %H:%M:%S" mktime(endtime) as endepoch
| where fieldepoch > beginepoch AND fieldepoch < endepoch

Is there a way in which we can filter the records fetched, based on a datetime column by specifying the start and end datetimes?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life