Please help me with the search command that will o...

tejasbharadwaj · ‎06-13-2017

Hello,

Please help me with the below:-

1) search command that will only display the list of last 15 days events.
Example:- I have the date field called "opened_at" where dates are in (dd/mm/yyyy hh:mm) format and the data from 1st Jan 2017 to 13th June 2017 (today) . Using this "opened_at" field, I need to extract the list of last 15 days events i.e., events from 30th May - 13th June (today). So I would need a search command to get this result.

2) search command that will display the list of events from last 15 days to 30 days.
Example:- I have the date field called "opened_at" where dates are in (dd/mm/yyyy hh:mm) format and the data from 1st Jan 2017 to 13th June 2017 (today) . Using this "opened_at" field, I need to extract the list of events from last 15 days to 30 days i.e., events from 15th May - 30th May. So I would need a search command to get this result.

Please help!

horsefez · ‎06-13-2017

Hi,

I have tried to solve your problem. This answer might help you further into solving your question. Keep in mind, that there might be a more efficient solution for this.

I just used the splunk internal index _audit to simulate your setup.
Here is what I go so far, this is the solution for past 15 days (to apply this to past 15 to 30 days isn't that hard)

index=_audit | eval opened_at=strftime(_time,"%d/%m/%Y %H:%M") | rex field=opened_at "(?<day>\d+)\/(?<month>\d+)\/(?<year>\d+)" | eval range=day+month+year | eventstats max(range) AS latest_range | where range>latest_range-15 | table _time day month year range latest_range

Please help me with the search command that will only display the list of last 30 days events

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life