topic Re: Compare a field date with current date for alert in Alerting

Compare a field date with current date for alert

glen_drivas — Fri, 10 May 2019 18:17:28 GMT

I have a simple windows script that collects CRL expiration dates and runs as a task every 24 hours

echo | set /P = "%date:~4,10% %time:~1,7% " >> c:\crl_expiration.log echo | set /P = "crl1.crl " >> c:\crl_expiration.log openssl crl -inform DER -in \\x.x.x.x\crl\crl1.crl -noout -nextupdate >> c:\crl_expiration.log echo.>>c:\crl_expiration.log

The log output looks like this

05/09/2019 13:00:01 crl1.crl nextUpdate=May 15 17:00:00 2019 GMT 05/09/2019 13:00:02 crl2.crl nextUpdate=May 15 17:00:00 2019 GMT 05/09/2019 13:00:05 crl3.crl nextUpdate=May 15 17:00:00 2019 GMT

These get indexed by Splunk

I need to compare the given CRL expiration date listed as nextUpdate to today and I need to create an alert if the CRL's are going to expire soon.

| eval dateadded_epoch = strptime('Date Added', "%b %d %H:%M:%S %Y") | where dateadded_epoch >= relative_time(now(), "-1d@d")

I have not been able to get this to work for some reason and if someone has a suggestion on a better way to do this, it would be welcome.

Re: Compare a field date with current date for alert

somesoni2 — Fri, 10 May 2019 19:40:53 GMT

Has the field been extracted correctly? Your raw data doesn't show any field name 'Date Added', just multiple entries for nextUpdate (only first one will be extracted by default).

Re: Compare a field date with current date for alert

woodcock — Sat, 11 May 2019 05:27:52 GMT

Like this:

| makeresults 
| eval _raw="05/09/2019 13:00:01 crl1.crl nextUpdate=May 15 17:00:00 2019 GMT 05/09/2019 13:00:02 crl2.crl nextUpdate=May 15 17:00:00 2019 GMT 05/09/2019 13:00:05 crl3.crl nextUpdate=May 15 17:00:00 2019 GMT" 
| rex max_match=0 "nextUpdate=(?<expiration>\S+\s\S+\s\S+\s\S+)"
| mvexpand expiration
| where strptime(expiration, "%b %d %H:%M:%S %Y") >= relative_time(now(), "-1d@d")

Re: Compare a field date with current date for alert

glen_drivas — Mon, 13 May 2019 17:50:14 GMT

The date and time changes daily, the names also change over long periods of time.

The "-1d@d" doesn't seem to only display the results from the last day.

Re: Compare a field date with current date for alert

woodcock — Mon, 13 May 2019 22:29:40 GMT

You asked to compare the date to the current date. That is what the -1d@d does. I don't know what you mean; I only know what you write.

Re: Compare a field date with current date for alert

glen_drivas — Mon, 13 May 2019 22:52:32 GMT

To attempt to get this working for real, I tried this

index=crl | rex max_match=0 "nextUpdate=(?<expiration>\S+\s\S+\s\S+\s\S+)" |rex max_match=0 (?<crl_name>crl\S+.crl) | mvexpand expiration
 | where strptime(expiration, "%b %d %H:%M:%S %Y") >= relative_time(now(), "-1d@d")

It's showing all results, the "-1d@d" isn't limiting the results by dates specified.

Re: Compare a field date with current date for alert

woodcock — Mon, 13 May 2019 23:19:25 GMT

If that is so, it is definitely because all of the events have at least 1 value for expiration that is from today, which is what you asked for. It sounds like the data is not really how you expect it to be.