Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use Date String in Search

pedroma
Engager
‎11-12-2019 07:15 AM

Background

I have a date string that I want to use in a search, but I don't know how.

Log

I have this text (called date_info) as part of a log line:

Nov 12 13:36:09 server_01 server[9513]: 2019-11-12 13:36:09

Now date_info has some problems, namely the fact that it has the date repeated multiple times, but the one thing I am looking for is the date at the end, namely 2019-11-12 13:36:09.

I am able to fetch that last part and convert it into a real date via the following query:

host=server00 date_info=* | eval date_str=substr(date_info, -19) | eval real_date=strptime(date_str,"%Y-%m-%d %H:%M:%S") | table real_date real_date_str field1 field2

Problem

The problem here is that I want to get all logs after real_date. I cannot use _time from Splunk because these logs were added manually in a batch process, so the date I can use is the one in text.

I have checked the Time Modifiers documentation but it is still unclear to me on how to use it.

Question

How can I get all the logs after real_date ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dindu
Contributor
‎11-13-2019 12:52 PM

Hi Pedroma,

This can be achieved by filtering based on the time fields you have extracted, in our case use the field - "real_date".
To apply time filter within a search - every time field should be on machine(epoch) time which means we have to convert human readable time if any by using strptime.
If you are using the query in a dashboard - please use the below steps.
Step1) Create a time input field with tokens to fetch the time values as below. Use token="sampleTimeInput"



The earliest and latest time can be fetched anywhere in the dashboard by using $sampleTimeInput.earliest$ and $sampleTimeInput.latest$
Step 2) Use where clause in the query to filter based on the input time field.Replace make results with index and sourcetype. Please note that you can filter the events which are inside _time window
| makeresults
| eval date_info="Nov 12 13:36:09 server_01 server[9513]: 2019-11-12 13:36:09"
| eval date_str=substr(date_info, -19)
| eval real_date=strptime(date_str,"%Y-%m-%d %H:%M:%S")
| table real_date real_date_str field1 field2
| where real_date>$sampleTimeInput.earliest$ AND real_date<$sampleTimeInput.earliest$
P.S- P.S - In the input time filter use the date range and choose both earliest and latest time

If you are using the query in a search panel - please use the below query .Give the date and format to convert to epoch time and then do the filtering

| makeresults
| eval date_info="Nov 12 13:36:09 server_01 server[9513]: 2019-11-12 13:36:09"
| eval date_str=substr(date_info, -19)
| eval real_date=strptime(date_str,"%Y-%m-%d %H:%M:%S")
| table real_date real_date_str field1 field2
| where real_date>strptime("YOUR_DATE","%Y-%m-%d %H:%M:%S"),

Happy Splunking!!

View solution in original post

Reply
Solved! Jump to solution

dindu
Contributor
‎11-15-2019 07:04 AM

Could you please accept the answer if it solved your issue.

Thanks!!!

0 Karma
Reply
Solved! Jump to solution
Solution

dindu
Contributor
‎11-13-2019 12:52 PM

Hi Pedroma,

This can be achieved by filtering based on the time fields you have extracted, in our case use the field - "real_date".
To apply time filter within a search - every time field should be on machine(epoch) time which means we have to convert human readable time if any by using strptime.
If you are using the query in a dashboard - please use the below steps.
Step1) Create a time input field with tokens to fetch the time values as below. Use token="sampleTimeInput"



The earliest and latest time can be fetched anywhere in the dashboard by using $sampleTimeInput.earliest$ and $sampleTimeInput.latest$
Step 2) Use where clause in the query to filter based on the input time field.Replace make results with index and sourcetype. Please note that you can filter the events which are inside _time window
| makeresults
| eval date_info="Nov 12 13:36:09 server_01 server[9513]: 2019-11-12 13:36:09"
| eval date_str=substr(date_info, -19)
| eval real_date=strptime(date_str,"%Y-%m-%d %H:%M:%S")
| table real_date real_date_str field1 field2
| where real_date>$sampleTimeInput.earliest$ AND real_date<$sampleTimeInput.earliest$
P.S- P.S - In the input time filter use the date range and choose both earliest and latest time

If you are using the query in a search panel - please use the below query .Give the date and format to convert to epoch time and then do the filtering

| makeresults
| eval date_info="Nov 12 13:36:09 server_01 server[9513]: 2019-11-12 13:36:09"
| eval date_str=substr(date_info, -19)
| eval real_date=strptime(date_str,"%Y-%m-%d %H:%M:%S")
| table real_date real_date_str field1 field2
| where real_date>strptime("YOUR_DATE","%Y-%m-%d %H:%M:%S"),

Happy Splunking!!

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...