Solved: how to see 30 days before and 30 days after a date...

renanprado96 · ‎03-14-2016

how I do it?
I want to see 30 days before and 30 days after a date.
If I put "03/03/2016," the system will look for 30 days before and 30 days after the date that I put.
The date "03/03/2016" will not be default, but Dynamic.
But I always have to search data 30 days before and 30 days after the date I choose
Thanks!

somesoni2 · ‎03-14-2016

You can use subsearch to achieve this. See this run anywhere sample search

Update
adding missing table command in the subsearch

index=_internal sourcetype=splunkd [| gentimes start=-1 | eval inputDate=strptime("01/01/2016", "%m/%d/%Y") | eval earliest=relative_time(inputDate,"-30d@d")  | eval latest=relative_time(inputDate,"+30d@d")  | table earliest latest ] | timechart span=1d count

View solution in original post

dennisaraujo · ‎03-15-2016

Hello friends,

Here it worked like this:

Thank you my friends.

somesoni2 · ‎03-14-2016

You can use subsearch to achieve this. See this run anywhere sample search

Update
adding missing table command in the subsearch

index=_internal sourcetype=splunkd [| gentimes start=-1 | eval inputDate=strptime("01/01/2016", "%m/%d/%Y") | eval earliest=relative_time(inputDate,"-30d@d")  | eval latest=relative_time(inputDate,"+30d@d")  | table earliest latest ] | timechart span=1d count

renanprado96 · ‎03-14-2016

This error occurred:
Unable to parse 1457924399 with format: %m/%d/%Y:%H:%M:%S
The search job has failed due to an error. You may be able view the job in the Job Inspector

Thanks!

renanprado96 · ‎03-14-2016

Human readable form
index=_internal sourcetype=splunkd [| gentimes start=-1 | eval inputDate=strptime("02/02/2016", "%m/%d/%Y") | eval earliest=relative_time(inputDate,"-30d@d") | eval latest=relative_time(inputDate,"+30d@d") ] | timechart span=1d count
Thanks for attention.

somesoni2 · ‎03-14-2016

I missed the table command in the subsearch. Please try the updated answer.

renanprado96 · ‎03-15-2016

This was the return:
Error in 'search' command: Unable to parse the search: "AND" operator is missing the clause on the left hand side.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
It did not work when you created the table "table earliest latest".
Already tried with the operator "AND" and used "," not worked.

somesoni2 · ‎03-15-2016

Try this

 index=_internal sourcetype=splunkd [| gentimes start=-1 | eval inputDate=strptime("01/01/2016", "%m/%d/%Y") | eval earliest=relative_time(inputDate,"-30d@d")  | eval latest=relative_time(inputDate,"+30d@d")  | table earliest latest  | format "" "" "" "" "" ""] | timechart span=1d count

somesoni2 · ‎03-14-2016

Can you post the query that you tried? Are you putting the data value in epoch OR human readable form?

renanprado96 · ‎03-14-2016

Human readable form
index=_internal sourcetype=splunkd [| gentimes start=-1 | eval inputDate=strptime("02/02/2016", "%m/%d/%Y") | eval earliest=relative_time(inputDate,"-30d@d") | eval latest=relative_time(inputDate,"+30d@d") ] | timechart span=1d count
Thanks for attention.

how to see 30 days before and 30 days after a date dynamic?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...