Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Compare a field date with current date for alert

glen_drivas
Explorer
‎05-10-2019 11:17 AM

I have a simple windows script that collects CRL expiration dates and runs as a task every 24 hours

echo | set /P = "%date:~4,10% %time:~1,7% " >> c:\crl_expiration.log
echo | set /P = "crl1.crl " >> c:\crl_expiration.log
openssl crl -inform DER -in \\x.x.x.x\crl\crl1.crl -noout -nextupdate >> c:\crl_expiration.log
echo.>>c:\crl_expiration.log

The log output looks like this

05/09/2019 13:00:01 crl1.crl nextUpdate=May 15 17:00:00 2019 GMT
05/09/2019 13:00:02 crl2.crl nextUpdate=May 15 17:00:00 2019 GMT
05/09/2019 13:00:05 crl3.crl nextUpdate=May 15 17:00:00 2019 GMT

These get indexed by Splunk

I need to compare the given CRL expiration date listed as nextUpdate to today and I need to create an alert if the CRL's are going to expire soon.

| eval dateadded_epoch = strptime('Date Added', "%b %d %H:%M:%S %Y") | where dateadded_epoch >= relative_time(now(), "-1d@d")

I have not been able to get this to work for some reason and if someone has a suggestion on a better way to do this, it would be welcome.

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-10-2019 10:27 PM

Like this:

| makeresults 
| eval _raw="05/09/2019 13:00:01 crl1.crl nextUpdate=May 15 17:00:00 2019 GMT 05/09/2019 13:00:02 crl2.crl nextUpdate=May 15 17:00:00 2019 GMT 05/09/2019 13:00:05 crl3.crl nextUpdate=May 15 17:00:00 2019 GMT" 
| rex max_match=0 "nextUpdate=(?<expiration>\S+\s\S+\s\S+\s\S+)"
| mvexpand expiration
| where strptime(expiration, "%b %d %H:%M:%S %Y") >= relative_time(now(), "-1d@d")
0 Karma
Reply

glen_drivas
Explorer
‎05-13-2019 10:50 AM

The date and time changes daily, the names also change over long periods of time.

The "-1d@d" doesn't seem to only display the results from the last day.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-13-2019 03:29 PM

You asked to compare the date to the current date. That is what the -1d@d does. I don't know what you mean; I only know what you write.

0 Karma
Reply

glen_drivas
Explorer
‎05-13-2019 03:52 PM

To attempt to get this working for real, I tried this

index=crl | rex max_match=0 "nextUpdate=(?<expiration>\S+\s\S+\s\S+\s\S+)" |rex max_match=0 (?<crl_name>crl\S+.crl) | mvexpand expiration
 | where strptime(expiration, "%b %d %H:%M:%S %Y") >= relative_time(now(), "-1d@d")

It's showing all results, the "-1d@d" isn't limiting the results by dates specified.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-13-2019 04:19 PM

If that is so, it is definitely because all of the events have at least 1 value for expiration that is from today, which is what you asked for. It sounds like the data is not really how you expect it to be.

0 Karma
Reply

somesoni2
Revered Legend
‎05-10-2019 12:40 PM

Has the field been extracted correctly? Your raw data doesn't show any field name 'Date Added', just multiple entries for nextUpdate (only first one will be extracted by default).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...