Solved: Display events when current date is >= 30 days fro...

jsven7 · ‎11-24-2015

Spent all day trying to figure this out. The events I'm working with contain a field with an expiration date in Unix epoch time. I'm trying to bring up a table of events when current date is >= 30days before the expiration date. Combed through documentation and Splunk Answers no luck. Thanks in advance.

Example data:

expiration_date=1548910800000

woodcock · ‎11-24-2015

Like this:

... | eval deltaDays = (now() - expiration_date)/86400 | where deltaDays>=30

View solution in original post

woodcock · ‎11-24-2015

Like this:

... | eval deltaDays = (now() - expiration_date)/86400 | where deltaDays>=30

jsven7 · ‎11-24-2015

Meant to write '<' instead of '>'. Its not giving events where now() is <= 30days of expiration_date

mysearch... |eval now=now() | eval deltaDays = (now() - expiration_date)/86400 | where deltaDays<=30 | table loginuid, token_serial, now, expiration_date

woodcock · ‎11-24-2015

So did this work for you?

jsven7 · ‎11-30-2015

Sorry for late response was out for Thanksgiving. Hope you enjoyed yours!

I'm trying to test with this:

I expect to see events where the Expiration_date field is <= 30 days from now() but this is not the case. Am I using the where command correctly?

woodcock · ‎12-01-2015

I did not look closely at your sample data and there is a problem there. It is neither in epoch, nor in any encoding that I can discern. If you can convert this to epoch, then my solution will work for you.

woodcock · ‎12-01-2015

Even if I assume it is in milliseconds, this converts to Thu, 31 Jan 2019 05:00:00 GMT!

sundareshr · ‎11-24-2015

See if this gives you some ideas...

Display events when current date is >= 30 days from expiration date

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!