I want to exclude events before a certain date ( n...

PC00128849 · ‎09-14-2019

Lets say i have a column called as birthdate in my events and i do not want to see the events or birth records which are before 01.01/2015. can somebody help me to do this?

maciep · ‎09-14-2019

You should be able to use strptime to convert to epoch and then do the check. So let's say your birthday field is in the a mm-dd-yyyy format...

your base search
| eval bd_epoch = strptime(birthday,"%m-%d-%Y"), bd_earliest_epoch = strptime("01-01-2015","%m-%d-%Y")
| where bd_epoch >= bd_earliest_epoch

PC00128849 · ‎09-23-2019

This is not returning expected values.

below are the result events

ItemName c_time p_time
Project_2 04-08-2019 05-04-2017
VAR_T_IB 01-04-2019 05-04-2017
VAR_ItemConfig_IB 02-01-2019 05-04-2017
VAR_Item_VAR 02-01-2017 05-04-2017

Ideally it should have only shown my last event. but it shows even bigger dates that 05-04-2017

maciep · ‎09-25-2019

ah, looks like you're comparing strings not timestamps, so splunk is going to compare them as strings. Either compare the epochs or reformat the date strings to a format that will work with a string compare, e.g. Year-Month-Date.

i'd go with epoch first at least, maybe this?

.... | where epochdate < bd_earliest_epoch | ....

I want to exclude events before a certain date ( not timestamp).

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!