How to generate a search that finds events that ar...

srikanthpanchak · ‎03-17-2017

Hi,

Below is my sample event. I want to create a search base which would return all such below events where FirstOccurrence field is more than 90 days old. This is a date field showing the time stamp when the event triggered first. I want to look for such events which are older than 90 days. Can you please help me with this?

UPDATE:: "Dash-Time"=03/17/2017 09:52:02 AM!"Node"="TOKAR"!"NodeAlias"="TOK1-RR1"!"Severity"=3!"FirstOccurrence"=12/20/2016 03:36:41 PM!"LastOccurrence"=03/17/2017 09:52:02 AM!"Summary"="BGP Peer Connection Idle  ( bgpPeerRemoteAddr: 10.108.73.16 )"!"Count"=117648!"Category"="WAN,WAN-CORE"!"MonitoringAgent"="MttrapdProbe@c702quanmpnci"!"AlertGroup"="BGP Peer Status"!"AlertKey"="bgpPeerEntry.10.108.73.16"!"Maintenance"=0!"Identifier"="TOKAR bgpPeerEntry.10.108.73.16 BGP Peer Status 1 IETF-BGP MttrapdProbe@c702quanmpnci 2 1"!"Serial"=14261338!"Action"="" ::UPDATE

cmerriman · ‎03-17-2017

try something like this. you only need the rex if you don't already have the raw events broken out.

....|rex field=_raw "FirstOccurrence(?<FirstOccurrence>.*)!"LastOccurrence"
|eval FirstOccurrence=strptime(FirstOccurrence,"%m/%d/%Y %H:%M:%S %p")
|eval lastNinetyDays=now()-7776000
|where FirstOccurrence<=lastNinetyDays

DalJeanis · ‎03-17-2017

In the rex, you need to escape the quote before "LastOccurrence", but actually I'd just delete everything after the ! since the ! is the delimiter.

How to generate a search that finds events that are older than 90 days?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!