Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to generate a search that finds events that are older than 90 days?

srikanthpanchak
New Member
‎03-17-2017 03:11 AM

Hi,

Below is my sample event. I want to create a search base which would return all such below events where FirstOccurrence field is more than 90 days old. This is a date field showing the time stamp when the event triggered first. I want to look for such events which are older than 90 days. Can you please help me with this? 

UPDATE:: "Dash-Time"=03/17/2017 09:52:02 AM!"Node"="TOKAR"!"NodeAlias"="TOK1-RR1"!"Severity"=3!"FirstOccurrence"=12/20/2016 03:36:41 PM!"LastOccurrence"=03/17/2017 09:52:02 AM!"Summary"="BGP Peer Connection Idle  ( bgpPeerRemoteAddr: 10.108.73.16 )"!"Count"=117648!"Category"="WAN,WAN-CORE"!"MonitoringAgent"="MttrapdProbe@c702quanmpnci"!"AlertGroup"="BGP Peer Status"!"AlertKey"="bgpPeerEntry.10.108.73.16"!"Maintenance"=0!"Identifier"="TOKAR bgpPeerEntry.10.108.73.16 BGP Peer Status 1 IETF-BGP MttrapdProbe@c702quanmpnci 2 1"!"Serial"=14261338!"Action"="" ::UPDATE
0 Karma
Reply

cmerriman
Super Champion
‎03-17-2017 05:08 AM

try something like this. you only need the rex if you don't already have the raw events broken out.

....|rex field=_raw "FirstOccurrence(?<FirstOccurrence>.*)!"LastOccurrence"
|eval FirstOccurrence=strptime(FirstOccurrence,"%m/%d/%Y %H:%M:%S %p")
|eval lastNinetyDays=now()-7776000
|where FirstOccurrence<=lastNinetyDays
Reply

DalJeanis
Legend
‎03-17-2017 12:06 PM

In the rex, you need to escape the quote before "LastOccurrence", but actually I'd just delete everything after the ! since the ! is the delimiter.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...