Splunk Search

Alert to search greater than 30 days

prains
New Member

Hi there,

I'm looking to create an alert that searches for entries 30 days greater than today. So basically, if I run the alert in a search right now, and 31 days ago something was created, I want to see those results. I figured out that I need a where clause since the advanced search isn't retained when you save as>alert, but I can't figure out the correct way to write it. I'd appreciate any help. Thanks so much!

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

In your search, you can explicitly set a time range. This is true whether the search is used as an alert or a report. While you can do this by clicking the timerange selector, you can also do it in the search itself, like this:

sourcetype=xyx index=abc earliest=-31d@d latest=-30d@d

This says "start the search at the beginning of the day exactly 31 days ago, and end the search at the beginning of the day exactly 30 days ago."

Instead of "d" for day, you can also use (h)our, (m)inute, etc. Here is the list of time modifiers and a few examples.

You don't need a where command.

View solution in original post

lguinn2
Legend

In your search, you can explicitly set a time range. This is true whether the search is used as an alert or a report. While you can do this by clicking the timerange selector, you can also do it in the search itself, like this:

sourcetype=xyx index=abc earliest=-31d@d latest=-30d@d

This says "start the search at the beginning of the day exactly 31 days ago, and end the search at the beginning of the day exactly 30 days ago."

Instead of "d" for day, you can also use (h)our, (m)inute, etc. Here is the list of time modifiers and a few examples.

You don't need a where command.

prains
New Member

Thank you both very much. earliest=-31d@d latest=-30d@d did the trick.

0 Karma

gfreitas
Builder

Hi Prains,

I think it works if you use "-30d" in the Finish time.

Hope it helps

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...