Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I look back 7 days from when an event occurred?

auaave
Communicator
‎05-07-2018 09:14 PM

Hey Guys,

I have a daily report that is showing the # of orders planned and completed for the day. However, sometimes the order plan and completion doesn't always happen on the same day. Some of the information that I need are available on when the order is received. Therefore, if the order was completed today but it was received yesterday, these information were lost. I have added earliest=-7d on my query but this is looking back 7 days when the search was done and not 7 days when the event happened.

The below query works when we are looking at today's order but when we have to look back at few months report then it doesn't work properly. How can I make it look at 7 days when the event happened? Thanks a lot!

| join type=outer BATCHNO 
    [ search index=* source="WCT_4BATCH_STATUS" STATUS=RECEIVED earliest=-7d 
    | eval RFT=strptime(RFT,"%Y-%m-%d %H:%M:%S.%N") 
    | stats max(RFT) as rft by BATCHNO] 
| join type=outer ORDERNO 
    [ search index=* source="WCT_4DELIVERY_ORDER_STATUS" STATUS=RECEIVED earliest=-7d 
    | rex field=ORDERNO "-(?<ORDERNO>\d+)" 
    | stats values(SIOFLAG) as flag by ORDERNO]
0 Karma
Reply

Shan
Builder
‎05-08-2018 10:14 PM

@auaave - If you want to achieve it. Check if you have any date information or date filed in your events. You can pick that date and filter the required information.. For example if you have a filed like order_date or order_close_date then you can filter the data with help of it rather than using earliest and latest. kindly check based on what timestamp data are indexed into splunk..

0 Karma
Reply

dstaulcu
Builder
‎05-08-2018 05:56 PM

What were you doing in the 7 days that preceded the murder?

sourcetype=actions person="you" 
        [ search action=murder 
        | eval earliest = (_time -7 * 86400), latest = (_time) 
        | fields host earliest latest 
        | format "(" "(" "" ")" "OR" ")" ]

Thanks Splunk mug!

0 Karma
Reply

consultanteIman
New Member
‎05-08-2018 06:19 AM

Hello ,

I think you have to retrieve the timestamp of the event, and then subtract 7 days converted to timestamp of your original timestamp .

i hope that help you.

regards ,

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...