Splunk Search

How can I look back 7 days from when an event occurred?

auaave
Communicator

Hey Guys,

I have a daily report that is showing the # of orders planned and completed for the day. However, sometimes the order plan and completion doesn't always happen on the same day. Some of the information that I need are available on when the order is received. Therefore, if the order was completed today but it was received yesterday, these information were lost. I have added earliest=-7d on my query but this is looking back 7 days when the search was done and not 7 days when the event happened.

The below query works when we are looking at today's order but when we have to look back at few months report then it doesn't work properly. How can I make it look at 7 days when the event happened? Thanks a lot!

| join type=outer BATCHNO 
    [ search index=* source="WCT_4BATCH_STATUS" STATUS=RECEIVED earliest=-7d 
    | eval RFT=strptime(RFT,"%Y-%m-%d %H:%M:%S.%N") 
    | stats max(RFT) as rft by BATCHNO] 
| join type=outer ORDERNO 
    [ search index=* source="WCT_4DELIVERY_ORDER_STATUS" STATUS=RECEIVED earliest=-7d 
    | rex field=ORDERNO "-(?<ORDERNO>\d+)" 
    | stats values(SIOFLAG) as flag by ORDERNO] 
0 Karma

Shan
Builder

@auaave - If you want to achieve it. Check if you have any date information or date filed in your events. You can pick that date and filter the required information.. For example if you have a filed like order_date or order_close_date then you can filter the data with help of it rather than using earliest and latest. kindly check based on what timestamp data are indexed into splunk..

0 Karma

dstaulcu
Builder

What were you doing in the 7 days that preceded the murder?

sourcetype=actions person="you" 
        [ search action=murder 
        | eval earliest = (_time -7 * 86400), latest = (_time) 
        | fields host earliest latest 
        | format "(" "(" "" ")" "OR" ")" ] 

Thanks Splunk mug!

0 Karma

consultanteIman
New Member

Hello ,

I think you have to retrieve the timestamp of the event, and then subtract 7 days converted to timestamp of your original timestamp .

i hope that help you.

regards ,

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...