Hi,
I am trying to display logs for last 24 hrs on Splunk. My search is:
index=peppol sourcetype=peppol-outbound | eval LastModtime=strftime(strptime(createDtTimeStamp,"%m-%d-%Y %H:%M:%S"),"%d/%Y/%m %p") | eval age=now()-recentTime | eval age=(age/3600)
up to this much it is showing logs for the last 1 hour, but when I add in |where age>86400/3600
after eval age=(age/3600)
, it is showing nothing in results so please somebody guide me how to do this?
Thanks
Sunny
Update:
This is the latest thing I have done. I changed the search and get some better results, but it is showing logs for the last 3 days instead of showing the last 24hrs. Showing logs for the last 3 days at the time interval of 24hrs.
index=peppol sourcetype=peppol-outbound earliest=-1d@d | timechart span=24h count | eval LastModtime=strftime(strptime(createDtTimeStamp,"%m-%d-%Y %H:%M:%S"),"%d/%Y/%m %p")
Hmm. If earliest=-1d@d
is giving you data from 3 days ago, it sounds like a data or onboarding problem. You should be able to use earliest=-24h
to get data from 24 hours ago.
I'd suggest checking to make sure that:
props.conf
stanza for that input has the correct time zone setting