topic Re: Query result in Alerting

How to find when index was last updated

sivakumar28 — Fri, 10 Nov 2023 11:33:34 GMT

Hi All,

I have this query that runs

| tstats latest(_time) as LatestEvent where index=* by index, host
| eval LatestLog=strftime(LatestEvent,"%a %m/%d/%Y %H:%M:%S")
| eval duration = now() - LatestEvent
| eval timediff = tostring(duration, "duration")
| lookup HostTreshold host
| where duration > threshold
| rename host as "src_host", index as "idx"
| fields - LatestEvent
| search NOT (index="cim_modactions" OR index="risk" OR index="audit_summary" OR index="threat_activity" OR index="endpoint_summary" OR index="summary" OR index="main" OR index="notable" OR index="notable_summary" OR index="mandiant")

The result is below

Now how do i add index = waf_imperva . Thanks

Regards,

Roger

Re: Query result

ITWhisperer — Fri, 10 Nov 2023 09:54:42 GMT

It is not clear what your expected result would look like - please can you explain further

Re: Query result

sivakumar28 — Fri, 10 Nov 2023 11:27:10 GMT

The query should have the result of index = waf_imperva. However, the result is not there. How to I ensure to include waf_imperva in the query or how do I troubleshoot why not there?

Re: Query result

ITWhisperer — Fri, 10 Nov 2023 11:31:49 GMT

Start with this and look to see when you last got events for that index and which host or host is was.

| tstats latest(_time) as LatestEvent where index=waf_imperva by host

Then back track from there to figure out why you don't have any events

Re: Query result

sivakumar28 — Fri, 10 Nov 2023 17:27:08 GMT

Do i need to include the IP address?

Re: Query result

ITWhisperer — Fri, 10 Nov 2023 21:14:42 GMT

Which ip address?

Did you find out if you have any events in that index?

What timeframe did you search over?

Re: Query result

sivakumar28 — Sat, 11 Nov 2023 09:03:48 GMT

Hi ITWhisperer

| tstats latest(_time) as LatestEvent where index=waf_imperva by host

15 min time frame

Host Count
10.30.168.10 1699663326

Why query below is not providing this result? My humble request for a struggling engineer, May I have your whatsup?

| tstats latest(_time) as LatestEvent where index=* by index, host | eval LatestLog=strftime(LatestEvent,"%a %m/%d/%Y %H:%M:%S") | eval duration = now() - LatestEvent | eval timediff = tostring(duration, "duration") | lookup HostTreshold host | where duration > threshold | rename host as "src_host", index as "idx" | fields - LatestEvent | search NOT (index="cim_modactions" OR index="risk" OR index="audit_summary" OR index="threat_activity" OR index="endpoint_summary" OR index="summary" OR index="main" OR index="notable" OR index="notable_summary" OR index="mandiant")

Re: Query result

ITWhisperer — Sat, 11 Nov 2023 10:20:41 GMT

It looks like your host ip may not be in your lookup - please add the relevant information to the lookup.

Re: Query result

sivakumar28 — Sat, 11 Nov 2023 10:27:06 GMT

Hi @ITWhisperer ,

How do i do that? Any steps pls. Thanks.

Regards,

Siva Kumar

Re: Query result

ITWhisperer — Sat, 11 Nov 2023 10:29:51 GMT

Edit your lookup file and reload it, or use outputlookup to overwrite/update it.