- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Need to get events created in last 30days
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to fetch splunk events that are created in last 30days for below query, by selecting time range as last 30days.
But i am getting all time events itseems for this query. Please suggest
Query used:
index=servicenow eventtype=snow_change* sourcetype="snow:change_request" (change_state_name="Work Complete" OR change_state_name=Closed) earliest=-30d@d
| dedup number | eval diff=strptime(dv_work_end,"%Y-%m-%d %H:%M:%S")-strptime(dv_work_start,"%Y-%m-%d %H:%M:%S")
| eval Downtime=round((diff/60),3)
| table number Downtime host dv_work_start dv_work_end
SPlunk Evets o/p:
Complete 1,285 events (1/28/20 12:00:00.000 AM to 2/27/20 5:30:31.555 PM) No Event Sampling Job Smart Mode
Events
Patterns
Statistics (1,285)
Visualization
100 Per Page
Format
Preview
Prev1...3456789...Next
number Downtime host dv_work_start dv_work_end
number Downtime host dv_work_start dv_work_end
CHG0129357 300.000 kmci4odw2023 2020-01-19 21:00:00 2020-01-20 02:00:00
CHG0129566 120.000 kmci4odw2023 2020-01-19 23:30:00 2020-01-20 01:30:00
CHG0129494 99.250 kmci4odw2023 2020-01-19 23:48:54 2020-01-20 01:28:09
CHG0129795 4320.367 kmci4odw2023 2020-01-20 10:55:10 2020-01-23 10:55:32
CHG0129116 1110.000 kmci4odw2023 2020-01-20 13:00:00 2020-01-21 07:30:00
CHG0129536 1380.000 kmci4odw2023 2020-01-20 13:30:00 2020-01-21 12:30:00
CHG0129632 88.250 kmci4odw2023 2020-01-20 15:05:04 2020-01-20 16:33:19
CHG0129634 120.000 kmci4odw2023 2020-01-20 16:15:00 2020-01-20 18:15:00
CHG0129585 120.000 kmci4odw2023 2020-01-20 17:00:00 2020-01-20 19:00:00
CHG0129389 155.100 kmci4odw2023 2020-01-20 22:30:25 2020-01-21 01:05:31
CHG0129593 0.000 kmci4odw2023 2020-01-20 23:30:00 2020-01-20 23:30:00
CHG0129647 90.667 kmci4odw2023 2020-01-21 04:30:00 2020-01-21 06:00:40
CHG0129323 1440.000 kmci4odw2023 2020-01-21 07:00:00 2020-01-22 07:00:00
CHG0128642 60.000 kmci4odw2023 2020-01-21 09:00:00 2020-01-21 10:00:00
CHG0129555 151.300 kmci4odw2023 2020-01-21 09:00:25 2020-01-21 11:31:43
CHG0128772 90.000 kmci4odw2023 2020-01-21 09:30:00 2020-01-21 11:00:00
CHG0129613 1440.000 kmci4odw2023 2020-01-21 09:30:00 2020-01-22 09:30:00
CHG0129234 1440.000 kmci4odw2023 2020-01-21 09:30:00 2020-01-22 09:30:00
CHG0129955 10080.000 kmci4odw2023 2020-01-21 09:55:51 2020-01-28 09:55:51
CHG0129650 57.800 kmci4odw2023 2020-01-21 10:00:00 2020-01-21 10:57:48
CHG0128646 120.000 kmci4odw2023 2020-01-21 10:00:00 2020-01-21 12:00:00
CHG0129667 1230.000 kmci4odw2023 2020-01-21 13:00:00 2020-01-22 09:30:00
CHG0128650 3120.000 kmci4odw2023 2020-01-21 13:00:00 2020-01-23 17:00:00
CHG0129676 120.000 kmci4odw2023 2020-01-21 13:15:00 2020-01-21 15:15:00
CHG0129461 119.500 kmci4odw2023 2020-01-21 13:30:30 2020-01-21 15:30:00
CHG0129446 60.000 kmci4odw2023 2020-01-21 16:00:00 2020-01-21 17:00:00
CHG0129292 50.000 kmci4odw2023 2020-01-21 17:00:00 2020-01-21 17:50:00
CHG0129679 35.000 kmci4odw2023 2020-01-21 17:20:00 2020-01-21 17:55:00
CHG0129709 420.000 kmci4odw2023 2020-01-21 19:00:00 2020-01-22 02:00:00
CHG0129526 167.917 kmci4odw2023 2020-01-21 21:00:00 2020-01-21 23:47:55
CHG0129677 180.000 kmci4odw2023 2020-01-21 21:30:00 2020-01-22 00:30:00
CHG0129646 40.183 kmci4odw2023 2020-01-21 23:35:37 2020-01-22 00:15:48
CHG0129567 296.883 kmci4odw2023 2020-01-22 00:25:57 2020-01-22 05:22:50
CHG0129417 1450.000 kmci4odw2023 2020-01-22 07:00:00 2020-01-23 07:10:00
CHG0129295 10.000 kmci4odw2023 2020-01-22 07:00:00 2020-01-22 07:10:00
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
....
| where relative_time(_time,"-30d@d") <= strptime(dv_work_start,"%Y-%m-%d %H:%M:%S")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
....
| where relative_time(_time,"-30d@d") <= strptime(dv_work_start,"%Y-%m-%d %H:%M:%S")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The timerange you apply on the search works based on the field "_time" which denotes when the event occurred.
In your results, the dates you see are different timestamp field and not _time. Those timestamp fields (dv_work_start dv_work_end) may not be related to the _time field (they're not per your data), hence you see variety of dates.
I would suggest to check the timestamp parsing of your sourcetype to see what time is being considered as time. If possible update your sourcetype to use one of `dv_work*` field so that you can filter based on that.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
