Hi all,
I'm wondering if there is a way to make a query with values that expire. For example my query is:
index=checkpoint sourcetype=opsec* src="192.168.1.1" OR "192.168.1.2"
| fillnull value=NULL
| stats count by src,dest,s_port,policy_name,signature
| sort count DESC
| eventstats sum(count) as totalCount
I would like the src conditions in the query to expire after 30 days automatically. Is it possible?
This is a very unusual question, but you could do something like this:
index=checkpoint sourcetype=opsec*
[| makeresults
| eval end_date = strptime("15 Feb 2019", "%d %b %Y")
| eval conditions = if (_time > end_date, null(), "src=192.168.1.1 OR 192.168.1.2")
| return $conditions]
| fillnull value=NULL
| stats count by src,dest,s_port,policy_name,signature
| sort count DESC
| eventstats sum(count) as totalCount
Just change the date to the date you want.
Hope this helps 🙂
This is a very unusual question, but you could do something like this:
index=checkpoint sourcetype=opsec*
[| makeresults
| eval end_date = strptime("15 Feb 2019", "%d %b %Y")
| eval conditions = if (_time > end_date, null(), "src=192.168.1.1 OR 192.168.1.2")
| return $conditions]
| fillnull value=NULL
| stats count by src,dest,s_port,policy_name,signature
| sort count DESC
| eventstats sum(count) as totalCount
Just change the date to the date you want.
Hope this helps 🙂
Hi! thank you very much, however this isn't working quite exactly the way I want it to. If I enter for example: Feb 10, I would like it to show me 0 results. (since it comes before Feb 11) instead it shows me everything ELSE the SRC ip in the eval conditions line.
Just change this line:
| eval conditions = if (_time > end_date, null(), "src=192.168.1.1 OR 192.168.1.2")
to instead be
| eval conditions = if (_time > end_date, "src=_NO_MATCH_", "src=192.168.1.1 OR 192.168.1.2")
You're the best! Thank you very much!!!