https://community.splunk.com/t5/Splunk-Search/How-to-find-events-that-haven-t-happened-in-a-given-amount-of/m-p/640888#M222050 <P>It depends whether you can find those hosts by expanding your time range. If you can, just find max(_time) by host and check if it falls within needed range. If you can't, you must have a static list of hosts to compare events in your index with. You can't find something if it's not there.</P> Thu, 20 Apr 2023 18:05:57 GMT PickleRick 2023-04-20T18:05:57Z https://community.splunk.com/t5/Splunk-Search/How-to-find-events-that-haven-t-happened-in-a-given-amount-of/m-p/640858#M222033 <P>I'm looking over vulnerability scan data and have the _time field formatted as&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| eval Last_Scanned = strftime(time, "%F")</LI-CODE> <P>&nbsp;</P> <P>How can I created a search to show hosts(events) that have not been scanned within two weeks of the current date?</P> Thu, 20 Apr 2023 16:44:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-events-that-haven-t-happened-in-a-given-amount-of/m-p/640858#M222033 atebysandwich 2023-04-20T16:44:35Z https://community.splunk.com/t5/Splunk-Search/How-to-find-events-that-haven-t-happened-in-a-given-amount-of/m-p/640878#M222043 <P>Grouping by host and then filtering using relative_time should work. This only leaves you the date and host though, so maybe you'll want to add some fields to the stats command.</P><LI-CODE lang="markup">| stats max(_time) as Last_Scanned by host | where Last_Scanned&lt;relative_time(now(), "-2w")</LI-CODE><P>&nbsp;</P> Thu, 20 Apr 2023 17:32:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-events-that-haven-t-happened-in-a-given-amount-of/m-p/640878#M222043 rut 2023-04-20T17:32:03Z https://community.splunk.com/t5/Splunk-Search/How-to-find-events-that-haven-t-happened-in-a-given-amount-of/m-p/640888#M222050 <P>It depends whether you can find those hosts by expanding your time range. If you can, just find max(_time) by host and check if it falls within needed range. If you can't, you must have a static list of hosts to compare events in your index with. You can't find something if it's not there.</P> Thu, 20 Apr 2023 18:05:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-events-that-haven-t-happened-in-a-given-amount-of/m-p/640888#M222050 PickleRick 2023-04-20T18:05:57Z https://community.splunk.com/t5/Splunk-Search/How-to-find-events-that-haven-t-happened-in-a-given-amount-of/m-p/640894#M222053 <P>I ad to do some tweaking to make some of it work. when I did</P><LI-CODE lang="markup">| stats max(Last_Scanned) by IP</LI-CODE><P>I got all the IPs and their last scan time. However, when I did the second line, no results were found.&nbsp;<BR /><BR /></P><P>It should be noted that earlier in the search _time was specified as time&nbsp;</P> Thu, 20 Apr 2023 18:24:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-events-that-haven-t-happened-in-a-given-amount-of/m-p/640894#M222053 atebysandwich 2023-04-20T18:24:32Z https://community.splunk.com/t5/Splunk-Search/How-to-find-events-that-haven-t-happened-in-a-given-amount-of/m-p/640899#M222055 <P>OK, so are you adding the lines on _time or your formatted time? In your original question you added the following line:</P><P>&nbsp;</P><LI-CODE lang="markup">| eval Last_Scanned = strftime(time, "%F")</LI-CODE><P>&nbsp;</P><P>%F = Equivalent to&nbsp;%Y-%m-%d (the ISO 8601 date format).</P><P>The command max and the comparison with relative_time are expecting a timestamp, not formatted time. So you can either use the original timestamp or use strptime to transform it back.</P><P>See the following docs for more information.</P><P>strptime:</P><P><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/DateandTimeFunctions#strptime.28.26lt.3Bstr.26gt.3B.2C.26lt.3Bformat.26gt.3B.29" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/DateandTimeFunctions#strptime.28.26lt.3Bstr.26gt.3B.2C.26lt.3Bformat.26gt.3B.29</A></P><P>relative_time:</P><P><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/DateandTimeFunctions#relative_time.28.26lt.3Btime.26gt.3B.2C.26lt.3Bspecifier.26gt.3B.29" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/DateandTimeFunctions#relative_time.28.26lt.3Btime.26gt.3B.2C.26lt.3Bspecifier.26gt.3B.29</A></P><P>Formats:</P><P><A href="https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Commontimeformatvariables#Time_variables" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Commontimeformatvariables#Time_variables</A></P> Thu, 20 Apr 2023 18:41:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-events-that-haven-t-happened-in-a-given-amount-of/m-p/640899#M222055 rut 2023-04-20T18:41:51Z https://community.splunk.com/t5/Splunk-Search/How-to-find-events-that-haven-t-happened-in-a-given-amount-of/m-p/640901#M222057 <P class="lia-align-left">You can't do max() on non-numerical field. When you did your strftime() you lost the ability to calculate/compare timestamps.</P> Thu, 20 Apr 2023 18:53:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-events-that-haven-t-happened-in-a-given-amount-of/m-p/640901#M222057 PickleRick 2023-04-20T18:53:35Z https://community.splunk.com/t5/Splunk-Search/How-to-find-events-that-haven-t-happened-in-a-given-amount-of/m-p/640902#M222058 <P>I removed strftime and moved a lookup after the searches you mentioned and it worked.&nbsp;</P> Thu, 20 Apr 2023 18:57:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-events-that-haven-t-happened-in-a-given-amount-of/m-p/640902#M222058 atebysandwich 2023-04-20T18:57:46Z