I have splunk logs which will give the ExpiryDate in search result based on the value of the result, need to configure an alert before the 10days of expirydate
Assuming ExpiryDate is in the text format you show, this should do it. If it's in epoch form then you can omit the strptime command.
<your current search> | eval eExpiryDate=strptime(ExpiryDate, "%m-%d-%Y")
| eval sevenDaysHence=relative_time(now(), "+7d")
| where eExpiryDate < sevenDaysHence
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.OkRead more