- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Compare a field date with current date for alert
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Compare a field date with current date for alert
I have a simple windows script that collects CRL expiration dates and runs as a task every 24 hours
echo | set /P = "%date:~4,10% %time:~1,7% " >> c:\crl_expiration.log
echo | set /P = "crl1.crl " >> c:\crl_expiration.log
openssl crl -inform DER -in \\x.x.x.x\crl\crl1.crl -noout -nextupdate >> c:\crl_expiration.log
echo.>>c:\crl_expiration.log
The log output looks like this
05/09/2019 13:00:01 crl1.crl nextUpdate=May 15 17:00:00 2019 GMT
05/09/2019 13:00:02 crl2.crl nextUpdate=May 15 17:00:00 2019 GMT
05/09/2019 13:00:05 crl3.crl nextUpdate=May 15 17:00:00 2019 GMT
These get indexed by Splunk
I need to compare the given CRL expiration date listed as nextUpdate to today and I need to create an alert if the CRL's are going to expire soon.
| eval dateadded_epoch = strptime('Date Added', "%b %d %H:%M:%S %Y") | where dateadded_epoch >= relative_time(now(), "-1d@d")
I have not been able to get this to work for some reason and if someone has a suggestion on a better way to do this, it would be welcome.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| makeresults
| eval _raw="05/09/2019 13:00:01 crl1.crl nextUpdate=May 15 17:00:00 2019 GMT 05/09/2019 13:00:02 crl2.crl nextUpdate=May 15 17:00:00 2019 GMT 05/09/2019 13:00:05 crl3.crl nextUpdate=May 15 17:00:00 2019 GMT"
| rex max_match=0 "nextUpdate=(?<expiration>\S+\s\S+\s\S+\s\S+)"
| mvexpand expiration
| where strptime(expiration, "%b %d %H:%M:%S %Y") >= relative_time(now(), "-1d@d")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The date and time changes daily, the names also change over long periods of time.
The "-1d@d" doesn't seem to only display the results from the last day.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You asked to compare the date to the current date. That is what the -1d@d does. I don't know what you mean; I only know what you write.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To attempt to get this working for real, I tried this
index=crl | rex max_match=0 "nextUpdate=(?<expiration>\S+\s\S+\s\S+\s\S+)" |rex max_match=0 (?<crl_name>crl\S+.crl) | mvexpand expiration
| where strptime(expiration, "%b %d %H:%M:%S %Y") >= relative_time(now(), "-1d@d")
It's showing all results, the "-1d@d" isn't limiting the results by dates specified.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If that is so, it is definitely because all of the events have at least 1 value for expiration that is from today, which is what you asked for. It sounds like the data is not really how you expect it to be.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has the field been extracted correctly? Your raw data doesn't show any field name 'Date Added', just multiple entries for nextUpdate (only first one will be extracted by default).
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
