Thank you both for answering my question and providing the queries! I ran into two issues (in case anybody else is going to use these)
1) On the first query it did not like "> (86400*90)". Splunk said "Error in 'search' command: Unable to parse the search: Comparator '>' has an invalid term on the right hand side."
So I had to pull out a piece of paper and remind myself how to do complex multiplication (*mutters to self* 9 times 6, carry the 5...) and changed the query to read "> 432000"
After that it ran great!
2) When I ran the second query I get this error "Search operation 'sourcetype' is unknown. You might not have permission to run this operation." This is not a big deal because I got the first query to work and it gives me what I am looking for but the curiosity factor takes over and is driving me crazy why the second query does not work on my box?
... View more