topic How do I find the time events have been sent in for the last 3 days? in Splunk Search

How do I find the time events have been sent in for the last 3 days?

Fats120 — Thu, 07 Apr 2022 15:45:04 GMT

How do I find the time events have been sent in for the last 3 days. I want to see the time 53 different events came in

Re: How do I find the time events have been sent in for the last 3 days. I want to see the time 53 different events came

gcusello — Thu, 07 Apr 2022 14:35:24 GMT

Hi @Fats120,

I'm not sure to understand you request:

do you want the timestamp or the indexing time of each event?

what do you mean with "53 different events came"?

Ciao.

Giuseppe

Re: How do I find the time events have been sent in for the last 3 days. I want to see the time 53 different events came

Fats120 — Thu, 07 Apr 2022 14:37:43 GMT

So I need to monitor 53 different events.

I need to know what time every event came in for the last 3 days.

Re: How do I find the time events have been sent in for the last 3 days. I want to see the time 53 different events came

gcusello — Thu, 07 Apr 2022 14:53:09 GMT

Hi @Fats120,

you need to know 53 generic events or specific (e.g. matching a string or a field)?

anyway you have to use the head command, something like this:

your_search | head 53

Ciao.

Giuseppe

Re: How do I find the time events have been sent in for the last 3 days. I want to see the time 53 different events came

Fats120 — Thu, 07 Apr 2022 15:04:02 GMT

No i need a table to show what time all events in the last 3 days came in

Sorry for not being clear enough

Re: How do I find the time events have been sent in for the last 3 days. I want to see the time 53 different events came

gcusello — Thu, 07 Apr 2022 15:07:00 GMT

Hi @Fats120,

did you tried something like this?

your_search | head 53 | table _time

I'm not sure to understand you request because it's a too simple answer!

Ciao.

Giuseppe

Re: How do I find the time events have been sent in for the last 3 days. I want to see the time 53 different events came

Fats120 — Thu, 07 Apr 2022 15:09:59 GMT

Essentially the search needs to look into a CSV file and show a table of all the events that are coming in for the last 3 days, i tried this search you provided but no luck.

Re: How do I find the time events have been sent in for the last 3 days. I want to see the time 53 different events came

Fats120 — Thu, 07 Apr 2022 15:10:44 GMT

a time stamp of all events

Re: How do I find the time events have been sent in for the last 3 days. I want to see the time 53 different events came

gcusello — Thu, 07 Apr 2022 15:22:43 GMT

Hi @Fats120,

at first how the rows of the CSV file are indexed in Splunk: in an index or in a lookup?

if in an index, you have to check if the "time" column of the csv is correctly associated to the timestamp or not.

if yes, you can run a search like this:

index=your_index | head 53 | table _time

if it isn't associated to a timestamp but it's in a field called e.g. "time" and using the format "YYYY-mm-dd HH:MM:SS" you have to add an additional filter, something like this:

index=your_index | eval time=strptime(time,"%Y-%m-%d %H:%M:%S") | where time>now()-3600*24*3 | head 53 | table _time

If instead the data are in a lookup and there a field called "time", you could run something like this:

Ciao.

Giuseppe

Re: How do I find the time events have been sent in for the last 3 days. I want to see the time 53 different events came

teunlaan — Fri, 08 Apr 2022 08:08:15 GMT

So you want to see WHEN the event arrived at the indexer? So tou need the see the indextime

index=your search | rename _indextime as indextime | eval indextime=strftime(indextime,"%Y-%m-%d %H:%M:%S") | table _time indextime _raw

This shows:

_time = time splunk thinks it is

indexertime = time splunk saved thet data to disk

_raw = the event

Re: How do I find the time events have been sent in for the last 3 days. I want to see the time 53 different events came

ITWhisperer — Fri, 08 Apr 2022 08:18:39 GMT

Does your csv contain values that you want to search in your index over the last 3 days and extract the matching events?

Assuming your csv has a column called key and your events also have a field called key, you can do something like this

index=your index earliest=-3d@d latest=@d [| inputlookup your.csv | fields key]

If the field names between your csv and your index don't match, you can use rename the rename the field from the csv so that it matches the field in the indexed events