0
votes

I have splunk logs which will give the ExpiryDate in search result based on the value of the result, need to configure an alert before the 10days of expirydate

Splunk result will be

Expiry Date: 12-28-2019

Thanks in Advance

1

1 Answers

1
votes

Assuming ExpiryDate is in the text format you show, this should do it. If it's in epoch form then you can omit the strptime command.

<your current search> | eval eExpiryDate=strptime(ExpiryDate, "%m-%d-%Y") 
| eval sevenDaysHence=relative_time(now(), "+7d") 
| where eExpiryDate < sevenDaysHence