Alerting

Compare a field date with current date for alert

glen_drivas
Explorer

I have a simple windows script that collects CRL expiration dates and runs as a task every 24 hours

echo | set /P = "%date:~4,10% %time:~1,7% " >> c:\crl_expiration.log
echo | set /P = "crl1.crl " >> c:\crl_expiration.log
openssl crl -inform DER -in \\x.x.x.x\crl\crl1.crl -noout -nextupdate >> c:\crl_expiration.log
echo.>>c:\crl_expiration.log

The log output looks like this

05/09/2019 13:00:01 crl1.crl nextUpdate=May 15 17:00:00 2019 GMT
05/09/2019 13:00:02 crl2.crl nextUpdate=May 15 17:00:00 2019 GMT
05/09/2019 13:00:05 crl3.crl nextUpdate=May 15 17:00:00 2019 GMT

These get indexed by Splunk

I need to compare the given CRL expiration date listed as nextUpdate to today and I need to create an alert if the CRL's are going to expire soon.

| eval dateadded_epoch = strptime('Date Added', "%b %d %H:%M:%S %Y") | where dateadded_epoch >= relative_time(now(), "-1d@d")

I have not been able to get this to work for some reason and if someone has a suggestion on a better way to do this, it would be welcome.

Tags (1)
0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval _raw="05/09/2019 13:00:01 crl1.crl nextUpdate=May 15 17:00:00 2019 GMT 05/09/2019 13:00:02 crl2.crl nextUpdate=May 15 17:00:00 2019 GMT 05/09/2019 13:00:05 crl3.crl nextUpdate=May 15 17:00:00 2019 GMT" 
| rex max_match=0 "nextUpdate=(?<expiration>\S+\s\S+\s\S+\s\S+)"
| mvexpand expiration
| where strptime(expiration, "%b %d %H:%M:%S %Y") >= relative_time(now(), "-1d@d")
0 Karma

glen_drivas
Explorer

The date and time changes daily, the names also change over long periods of time.

The "-1d@d" doesn't seem to only display the results from the last day.

0 Karma

woodcock
Esteemed Legend

You asked to compare the date to the current date. That is what the -1d@d does. I don't know what you mean; I only know what you write.

0 Karma

glen_drivas
Explorer

To attempt to get this working for real, I tried this

index=crl | rex max_match=0 "nextUpdate=(?<expiration>\S+\s\S+\s\S+\s\S+)" |rex max_match=0 (?<crl_name>crl\S+.crl) | mvexpand expiration
 | where strptime(expiration, "%b %d %H:%M:%S %Y") >= relative_time(now(), "-1d@d") 

It's showing all results, the "-1d@d" isn't limiting the results by dates specified.

0 Karma

woodcock
Esteemed Legend

If that is so, it is definitely because all of the events have at least 1 value for expiration that is from today, which is what you asked for. It sounds like the data is not really how you expect it to be.

0 Karma

somesoni2
Revered Legend

Has the field been extracted correctly? Your raw data doesn't show any field name 'Date Added', just multiple entries for nextUpdate (only first one will be extracted by default).

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...