All Apps and Add-ons

How to get last updated time for log path files that aren't updated in the last 15 minutes?

From a splunk search, i get results of the log files that aren't updated for the past 15 minutes. I created this using setdiff command. Now i want to show the last updated time of those log files beside their log path names.

| set diff [ search index=* host= * |dedup source host| table source host | search source= "*log"] [|inputlookup xyz.csv | dedup source host | table source host] | dedup source host

xyz.csv is the file with all logs.

this search shows us the results of those log path files that arent updated in the past 15 minutes if search time is fixed for 15 min.

0 Karma
1 Solution

Ultra Champion
index=* host=*
| eval time=_indextime
| stats latest(time) as _time by source,host
| where _time < relative_time(now(),"-15m")

Hi,
If you want to get the last update time of the log path file that has not been updated in the past 15 minutes, I think it's okay here.

I'm sorry if the question is the CSV file update time.

View solution in original post

Ultra Champion
index=* host=*
| eval time=_indextime
| stats latest(time) as _time by source,host
| where _time < relative_time(now(),"-15m")

Hi,
If you want to get the last update time of the log path file that has not been updated in the past 15 minutes, I think it's okay here.

I'm sorry if the question is the CSV file update time.

View solution in original post

Thanks a lot @to4kawa . It worked.

0 Karma

Ultra Champion

your welcome,happy Splunking.

0 Karma

@to4kawa

This worked perfectly. I just wanted to do some modifications in it. So the above search gives us the result of the logs that didnt get updated in last 15min. So lets say the result is as follows

source host _time
A P
B Q
C R
D . S
E . T

But i know that a particular servers are down and not working and i'm sure the log paths wouldn't get updated. say

1)
A P
D S

So i wanted to eliminate these in the final alert i get.

So i tried using set diff command .. |set diff [first search] [input lookup test.csv]

test.csv would have details of 1)

I wanted final result as

source host _time
B Q

C R
E . T

But it doesn't work.Instead it gives me trash values. let me know what went wrong and what should be done.

0 Karma

Ultra Champion
| metadata type=hosts index=*
| foreach *Time 
    [eval <<FIELD>> = strftime(<<FIELD>>,"%c")]

Hi, long time no see.

You can check the log status for each host with the above command.
This time I used strftime to make it easier to understand, but I think that you can add conditions with where instead.

It is not a direct answer, but for reference.

0 Karma