Solved: How to filter results based on date (not _time)?

tmaltizo · ‎03-13-2017

I'm trying to filter my data results based on the following:

myDate format: yyyy-mm-dd HH:MM:SS (Ex: 2017-03-14 03:59:59)

I need to filter results where the myDate is within the last 3 months. I attempted the solution from the following post, but I get no results when there should be. https://answers.splunk.com/answers/387898/how-to-filter-a-dashboard-search-based-on-a-date-f.html

Please let me know if more info is needed. Thanks for your help in advance!
Trista

somesoni2 · ‎03-13-2017

From that post itself, this should be your version (assuming the field which contains string date is 'myDate'). Please ensure to have larger time range for the search as it myDate is not _time (time range only applies on _time field)

your base search 
 | eval myDate= strptime(myDate, "%Y-%m-%d %H:%M:%S") 
 | where myDate>=relative_time(now(),"-3mon")

View solution in original post

somesoni2 · ‎03-13-2017

From that post itself, this should be your version (assuming the field which contains string date is 'myDate'). Please ensure to have larger time range for the search as it myDate is not _time (time range only applies on _time field)

your base search 
 | eval myDate= strptime(myDate, "%Y-%m-%d %H:%M:%S") 
 | where myDate>=relative_time(now(),"-3mon")

tmaltizo · ‎03-14-2017

This works! Thanks so much @somesoni2!

somesoni2 · ‎03-14-2017

Glad it worked out for you. You can close this question by accepting this answer.

How to filter results based on date (not _time)?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life