topic How to see only the events where "firstSeen" is within the last 7 days? in Splunk Search

How to see only the events where "firstSeen" is within the last 7 days?

marceldera — Tue, 29 Nov 2022 17:48:42 GMT

I have this dataset in SPlunk, I am trying to see only the events where "firstSeen" is within the last 7 days.

I tried to | where firstSeen<7d but that didn't work also.

state	Age	dnsName	firstSeen	ip	lastSeen	severity	pluginID
open	32.49	28-Nov-22	28-Nov-22	10.102.10.1	29-Nov-22	informational	10180
open	1	Cat	28-Nov-22	10.102.1.23	29-Nov-22	informational	11219
open	34.06		22-Nov-22		29-Nov-22	informational	19506
open	5.6	Dog	23-Nov-22		28-Nov-22	informational	168007
open	22.65	Lion	6-Nov-22		28-Nov-22	informational	166958
open	31.64	tiger	28-Oct-22		28-Nov-22	informational	166602
open	120.63	giraf	25-Nov-22		28-Nov-22	informational	163588
open	68.47	leap	21-Sep-22		28-Nov-22	informational	163489
open	68.47	big dog	21-Sep-22		28-Nov-22	informational	163488

Re: How to see only the events where "firstSeen" is within the last 7 days?

PickleRick — Tue, 29 Nov 2022 18:06:17 GMT

It's hard to be certain from this table but the firstSeen will most probably be a string. You have to parse it with strptime to a nummerical timestamp. Then you simply filter with

| where your_timestamp>now()-7*86400

Re: How to see only the events where "firstSeen" is within the last 7 days?

marceldera — Tue, 29 Nov 2022 18:20:24 GMT

This is the query that i used, it is returning no results

index=tenable* sourcetype="*" | where pluginID <1000000
| eval firstSeen=strftime(firstSeen, "%m/%d/%Y %H:%M:%S")
| eval lastSeen=strftime(lastSeen, "%m/%d/%Y %H:%M:%S")
| eval discovery = strptime(lastSeen, "%m/%d/%Y %H:%M:%S") - strptime(firstSeen, "%m/%d/%Y %H:%M:%S")
| eval Age = round(discovery / 86400, 2)
| eval firstSeen =strftime(strptime(firstSeen,"%m/%d/%Y %H:%M:%S"),"%d-%B-%y")
| eval lastSeen =strftime(strptime(lastSeen,"%m/%d/%Y %H:%M:%S"),"%d-%B-%y")
| dedup pluginID
| where firstSeen>now()-7*86400
| table State Age dnsName firstSeen ip lastSeen severity pluginID

Re: How to see only the events where "firstSeen" is within the last 7 days?

yuanliu — Tue, 29 Nov 2022 19:06:16 GMT

How is it that your "dataset" contains a field "Age" but you are also calculating it based on a field that doesn't exist in your dataset, namely "lastSeen"? Is that table what is output, not what is your dataset?

Without knowing what your raw data looks like, no one can tell you what to expect.

Re: How to see only the events where "firstSeen" is within the last 7 days?

yuanliu — Tue, 29 Nov 2022 19:12:19 GMT

Purely based on your sample code, there are several mistakes; the most serious one is to trying to calculate numeric value based on output from strftime which is a string.

If I take blind faith in your code, I'd modify it to