One of the things that make conversions between SQL and SPLUNK so difficult is that we tend to use the same terms but they mean very different things. I should have been more specific.
I am trying to simulate this type of date filter in splunk. Please help...
In SQL I use
select * from table where DATEADD (DD , -30 , getdate() ) > SomeTimeValueFromTheEvent
I am simply looking for data that is contained in the event (not the indexed time but time data in the event) so I can report on it. A great example is filtering out active directory records on the Password Last Set value. “30 days ago”
Thanks!
----------------------------------Update--------------------------------------------------------
The new query below does not seem to work either. The items I am using are out of box discovery functionality of SPLUNK. The data source is Active Directory. On the computer object there is a attribute called pwdLastSet. I am simply trying to filter for computer objects that have reset there passwords in the last 30 days.
... View more