Solved: Last 6 months search using new date field

utk123 · ‎05-19-2020

Hello,

I am trying to use another field (LAST_FIXED_DATE) as _time in my log search. LAST_FIXED_DATE got dates from 2008, 2009.....2020.
But I just want to find data for LAST_FIXED_DATE value from last 6 months. (example: Nov 2019 till April 2020)

Below query is not working, and still shows me _time value from 2008.

My query:
main search ....
| eval _time=strptime(LAST_FIXED_DATE,"%Y-%m-%d")
| table _time

Results what I see:
2008-06-30
2008-06-01

I just want _time to show values for last 6 months, and not back to 2008.
I have tried adding earliest and latest, but then I get no results.

richgalloway · ‎05-19-2020

The earliest and latest settings work with _time so they won't help. You'll have to constrain the results yourself using where.

main search ....
| eval _time=strptime(LAST_FIXED_DATE,"%Y-%m-%d")
| where _time > relative_time(now(), "-6mon")
| table _time

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-19-2020

The earliest and latest settings work with _time so they won't help. You'll have to constrain the results yourself using where.

main search ....
| eval _time=strptime(LAST_FIXED_DATE,"%Y-%m-%d")
| where _time > relative_time(now(), "-6mon")
| table _time

---
If this reply helps you, Karma would be appreciated.

Sfry1981 · ‎05-19-2020

try this

| eval _time = strptime(substr(LAST_FIXED_DATE,1,10), "%your%format%string%here%") | where (_time >= $info_min_time$ AND _time <= $info_max_time$)

Last 6 months search using new date field

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...