Leave off the where and confirm that you have a year, month, and day field.

I tried:
eventtype=FAS | rex "BEGIN DATE = (?\d+)/(?\d+)/(?\d+)" | where year>2009 OR (year=2009 AND month>8) but could not get any results. I am still curious as to why it didn't work.

Then I took another route:

eventtype=FAS |eval begin_month = strftime(strptime('BEGIN DATE',"%m/%d/%Y") ,"%m")|eval begin_Year = strftime(strptime('BEGIN DATE',"%m/%d/%Y") ,"%Y")|where begin_Year > 2009 OR (begin_Year = 2009 AND begin_month>8)

Thank you for your comments!
JK

eval doesn't do field extraction. Either add a field extraction through Settings -> Fields -> Field extractions, or use rex in the search like this:

eventtype=FAS | rex "BEGIN DATE = (?<month>\d+)/(?<day>\d+)/(?<year>\d+)" | where year>2009 OR (year=2009 AND month>8)

The raw data looks like this: BEGIN DATE = 12/31/2009
(please note the space between BEGIN DATE)

I tried the following and showed no syntax errors but did not get any results from the query. What am I missing?

eventtype=FAS
| eval 'BEGIN DATE'="(?\d+)/(?\d+)/(?\d+)"
| where year>2009 OR (year=2009 AND month>8)

That depends on your raw data. Assuming it looks like this:

something begin_date=12/31/2009 something else

You could use this expression:

begin_date=(?<month>\d+)/(?<day>\d+)/(?<year>\d+)

martin_mueller,

How do you extract the day, month and year as individual fields? Would you please provide an example?
Thanks,

JK

Just use Splunk to convert the time:

| stats count | eval timestamp = strptime("2010-01-01 00:00:00", "%F %T")

Should yield 1262300400.

As for aliases, take a look at Settings -> Fields -> Field Aliases.

I found the following:

Prior to 1972, this time was called Greenwich Mean Time (GMT) but is now referred to as Coordinated Universal Time or Universal Time Coordinated (UTC)

I found this link to do the conversion:
http://www.freeformatter.com/epoch-timestamp-to-date-converter.html

For GMT:
Thu, 31 Dec 2009 23:59:59
1262239200

For Local:
12/31/2009 23:59:59 gives
1262325599

How do you know which one to use?
The other question is, since I am getting a variable named: "BEGIN DATE", how do I create an alias or rename it to: "begin_date"?

Thanks!
JK

Thanks! JK

In Splunk 6.1, you can create a calculated field named begin_date using the second line of the search above as a pattern. Once you have that field, your search would be

eventtype=FAS begin_date> 1262303999

Because 1262303999 is 12/31/2009 23:59:59 in epoch time. (I used a time converter to figure that out.)

This technique should allow you to save the resulting search as an eventtype

You could move those two commands into a macro to avoid typing the whole shebang into many searches.

Iguinn,

What alternatives are there to using "eventtype" if I cannot create one with the results of this query?
Eventtype search string cannot be a search pipeline or contain a subsearch.
Thanks!
JK

Iguinn,

This will do. Thanks for your help!

JK