Splunk Search

I want to exclude events before a certain date ( not timestamp).

PC00128849
New Member

Lets say i have a column called as birthdate in my events and i do not want to see the events or birth records which are before 01.01/2015. can somebody help me to do this?

Tags (1)
0 Karma

maciep
Champion

You should be able to use strptime to convert to epoch and then do the check. So let's say your birthday field is in the a mm-dd-yyyy format...

your base search
| eval bd_epoch = strptime(birthday,"%m-%d-%Y"), bd_earliest_epoch = strptime("01-01-2015","%m-%d-%Y")
| where bd_epoch >= bd_earliest_epoch
0 Karma

PC00128849
New Member

| rename "Checkin Date" as Cdate
|eval epochdate=strptime(Cdate, "%d.%m.%Y")
| eval c_time=strftime(epochdate,"%d-%m-%Y")
| eval bd_earliest_epoch = strptime("05-04-2017","%d-%m-%Y")
| eval p_time=strftime(bd_earliest_epoch,"%d-%m-%Y")
| where (c_time < p_time)
| table ItemName c_time p_time

This is not returning expected values.

below are the result events

ItemName c_time p_time
Project_2 04-08-2019 05-04-2017
VAR_T_IB 01-04-2019 05-04-2017
VAR_ItemConfig_IB 02-01-2019 05-04-2017
VAR_Item_VAR 02-01-2017 05-04-2017

Ideally it should have only shown my last event. but it shows even bigger dates that 05-04-2017

0 Karma

maciep
Champion

ah, looks like you're comparing strings not timestamps, so splunk is going to compare them as strings. Either compare the epochs or reformat the date strings to a format that will work with a string compare, e.g. Year-Month-Date.

i'd go with epoch first at least, maybe this?

.... | where epochdate < bd_earliest_epoch | ....
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...