Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Compare a field date with current date for alert

glen_drivas
Explorer
‎05-10-2019 11:17 AM

I have a simple windows script that collects CRL expiration dates and runs as a task every 24 hours

echo | set /P = "%date:~4,10% %time:~1,7% " >> c:\crl_expiration.log
echo | set /P = "crl1.crl " >> c:\crl_expiration.log
openssl crl -inform DER -in \\x.x.x.x\crl\crl1.crl -noout -nextupdate >> c:\crl_expiration.log
echo.>>c:\crl_expiration.log

The log output looks like this

05/09/2019 13:00:01 crl1.crl nextUpdate=May 15 17:00:00 2019 GMT
05/09/2019 13:00:02 crl2.crl nextUpdate=May 15 17:00:00 2019 GMT
05/09/2019 13:00:05 crl3.crl nextUpdate=May 15 17:00:00 2019 GMT

These get indexed by Splunk

I need to compare the given CRL expiration date listed as nextUpdate to today and I need to create an alert if the CRL's are going to expire soon.

| eval dateadded_epoch = strptime('Date Added', "%b %d %H:%M:%S %Y") | where dateadded_epoch >= relative_time(now(), "-1d@d")

I have not been able to get this to work for some reason and if someone has a suggestion on a better way to do this, it would be welcome.

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-10-2019 10:27 PM

Like this:

| makeresults 
| eval _raw="05/09/2019 13:00:01 crl1.crl nextUpdate=May 15 17:00:00 2019 GMT 05/09/2019 13:00:02 crl2.crl nextUpdate=May 15 17:00:00 2019 GMT 05/09/2019 13:00:05 crl3.crl nextUpdate=May 15 17:00:00 2019 GMT" 
| rex max_match=0 "nextUpdate=(?<expiration>\S+\s\S+\s\S+\s\S+)"
| mvexpand expiration
| where strptime(expiration, "%b %d %H:%M:%S %Y") >= relative_time(now(), "-1d@d")
0 Karma
Reply

glen_drivas
Explorer
‎05-13-2019 10:50 AM

The date and time changes daily, the names also change over long periods of time.

The "-1d@d" doesn't seem to only display the results from the last day.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-13-2019 03:29 PM

You asked to compare the date to the current date. That is what the -1d@d does. I don't know what you mean; I only know what you write.

0 Karma
Reply

glen_drivas
Explorer
‎05-13-2019 03:52 PM

To attempt to get this working for real, I tried this

index=crl | rex max_match=0 "nextUpdate=(?<expiration>\S+\s\S+\s\S+\s\S+)" |rex max_match=0 (?<crl_name>crl\S+.crl) | mvexpand expiration
 | where strptime(expiration, "%b %d %H:%M:%S %Y") >= relative_time(now(), "-1d@d")

It's showing all results, the "-1d@d" isn't limiting the results by dates specified.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-13-2019 04:19 PM

If that is so, it is definitely because all of the events have at least 1 value for expiration that is from today, which is what you asked for. It sounds like the data is not really how you expect it to be.

0 Karma
Reply

somesoni2
Revered Legend
‎05-10-2019 12:40 PM

Has the field been extracted correctly? Your raw data doesn't show any field name 'Date Added', just multiple entries for nextUpdate (only first one will be extracted by default).

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...