topic Re: Help with search for specific dates? in Splunk Search

Help with search for specific dates?

AL3Z — Mon, 30 Jan 2023 18:28:58 GMT

Hi,

Could you help me in editing the below search

index=test sourcetype="centino" | stats count, values(change_asset) as changed_asset, values(brief) as description, values(severity) as severity, values(exploitation_method) as exploitation_method, values(first_find) as first_find, values(last_find) as last_find, , values(systems) as system by id.

1. In the below output of fields we need to display only the date 2023-01-22

first_find last_find

2. Instead of receiving all the notifications we require, if today's date matches the first _find or the last_find, raise an alert
*todays date will change every day do not bound that with actual todays date*

Thanks...

Re: Help with search for specific dates?

richgalloway — Mon, 30 Jan 2023 18:57:00 GMT

There are a few ways to reduce the timestamp to just the date. The substr() function may be the easiest.

Use the now() function to get the current timestamp and the strftime() function to convert it into the same format as first_find and last_find. Then the where command can compare them and only show events from today.

index=test sourcetype="issues" | eval first_find=substr(first_find, 1, 10), last_find=substr(last_find, 1, 10) | stats count, values(change_asset) as changed_asset, values(brief) as description, values(severity) as severity, values(exploitation_method) as exploitation_method, values(first_find) as first_find, values(last_find) as last_find, , values(systems) as system by id | eval today = strftime(now(), "%Y-%m-%d") | where (match(first_find, today) OR match(last_find, today))

Note that this query may not work properly if first_find and last_find are multi-value fields.

Re: Help with search for specific dates?

AL3Z — Tue, 31 Jan 2023 16:19:55 GMT

@richgalloway

@itwishperer
@

Hi,

what if we have a multi valued fields,could you pls make a search according to that

Thanks..

Re: Help with search for specific dates?

richgalloway — Tue, 31 Jan 2023 15:52:44 GMT

The concept of more than one "first" or "last" anything baffles me so here is a query that eliminates mutli-value firsts and lasts.

index=test sourcetype="issues" | eval first_find=substr(first_find, 1, 10), last_find=substr(last_find, 1, 10) | stats count, values(change_asset) as changed_asset, values(brief) as description, values(severity) as severity, values(exploitation_method) as exploitation_method, earliest(first_find) as first_find, latest(last_find) as last_find, values(systems) as system by id | eval today = strftime(now(), "%Y-%m-%d") | where (match(first_find, today) OR match(last_find, today))

Re: Help with search for specific dates?

AL3Z — Wed, 01 Feb 2023 07:21:32 GMT

@richgalloway

Hi,

This query is same as first query.

What the difference ?

Re: Help with search for specific dates?

richgalloway — Wed, 01 Feb 2023 13:29:27 GMT

The difference is the second query uses earliest and latest instead of values for the first_find and last_find fields to avoid multi-value results.

Re: Help with search for specific dates?

AL3Z — Mon, 20 Feb 2023 14:26:00 GMT

@richgalloway

this search is not raising any alerts, what could be the problem, the first find and last time fields time in events looks like UTC time, do we need to normalise to IST to get it match if so how we can normalise it.
thnks.

Re: Help with search for specific dates?

richgalloway — Mon, 20 Feb 2023 20:03:24 GMT

Normalize timestamps by using the strptime function to convert them into internal (epoch) form.