Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create search for list of servers sending data in last 14 days from the lookup and not sending in last 7 days

karishmajain
Loves-to-Learn Lots
‎03-14-2022 01:38 AM

Hi Team,

Could you help me with the complete splunk query for  list of servers which are sending data in last 14 days from the lookup and not sending in last 7 days

if we write.... 

 

| eval day=if(_time<relative_time(now(),"-7d@d"),"sentdatalastweek","didnotsenddatainthelast7days")

 

what does that mean?

 

Regards

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-14-2022 02:25 AM

It depends what is in the _time field for your events.

On the face of it, it looks like, if the value of _time is prior to the beginning of the day 7 days ago, you will get "sentdatalastweek", otherwise you will get "didnotsenddatainthelast7days" - this seems to be the wrong way round (assuming _time holds the time the data was sent)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-14-2022 02:22 AM

Hi @karishmajain,

what do you mean when you say: "from the lookup"? are your data in an index or in one lookup?

Anyway, if your data is in one index, you can use the timestamp (_time) and use a check like the one you used:

index=your_index earliest=-14d latest=now
| eval week=if(_time<604800,"previousweek","lastweek")
| stats values(week) AS week dc(week) AS dc_week earliest(_time) AS earliest latest(_time) AS latest BY host
| where dc_check=1 AND week="previousweek"
| eval earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"), latest=strftime(latest,"%Y-%m-%d %H:%M:%S")

Ciao.

Giuseppe

0 Karma
Reply

karishmajain
Loves-to-Learn Lots
‎03-14-2022 08:03 AM

Got the required result by if (now()- _time<604800....

Thanks 

0 Karma
Reply

karishmajain
Loves-to-Learn Lots
‎03-14-2022 02:27 AM

Thanks for your input. I mean I have a csv file which has the list of servers ....from that inputlookup table I need to get the list of servers sending data in last 14 days but not in 7 days..could you please help me in that..

 

 

Thanks

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-14-2022 02:39 AM

Hi @karishmajain,

this means that you have to monitor not all the servers, but only the ones in the lookup.

If the lookup is called "perimeter.csv" and it contain only one column called "host", you could try something like this:

index=your_index earliest=-14d latest=now [ | inputlookup perimeter.csv | fields host ]
| eval week=if(_time<604800,"previousweek","lastweek")
| stats values(week) AS week dc(week) AS dc_week earliest(_time) AS earliest latest(_time) AS latest BY host
| where dc_check=1 AND week="previousweek"
| eval earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"), latest=strftime(latest,"%Y-%m-%d %H:%M:%S")

Ciao.

Giuseppe

 

 

0 Karma
Reply

karishmajain
Loves-to-Learn Lots
‎03-14-2022 03:39 AM

Thanks so much for your help and input...not getting any result may be the case there is no such server(host)....thanks again for your help and time.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-14-2022 03:56 AM

Hi @karishmajain,

what's the field name of the host in the lookup?

if it's different than host, you have to rename it on the square parenthesis, e.g. if it's called hostname, you have to run:

index=your_index earliest=-14d latest=now [ | inputlookup perimeter.csv | rename hostname AS host | fields host ]
| eval week=if(_time<604800,"previousweek","lastweek")
| stats values(week) AS week dc(week) AS dc_week earliest(_time) AS earliest latest(_time) AS latest BY host
| where dc_check=1 AND week="previousweek"
| eval earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"), latest=strftime(latest,"%Y-%m-%d %H:%M:%S")

Ciao.

Giuseppe

0 Karma
Reply

karishmajain
Loves-to-Learn Lots
‎03-14-2022 04:05 AM

Yes I renamed the field previously ..still no results ...

It's absolutely fine .

0 Karma
Reply

karishmajain
Loves-to-Learn Lots
‎03-14-2022 07:24 AM

is above query will give the list of all transmitted in 2 weeks .....need only those which are not triggering in last 7 days but triggering in 15 days.... 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-14-2022 08:19 AM

Hi @karishmajain,

the condition 

| where dc_week=1 AND week="previousweek"

filters results to give you only the hosts that sent logs in the first week but not in the second.

ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-14-2022 04:41 AM

Hi @karishmajain,

sorry, my error: dc_week not dc_check in the where condition!

index=your_index earliest=-14d latest=now [ | inputlookup perimeter.csv | rename hostname AS host | fields host ]
| eval week=if(_time<604800,"previousweek","lastweek")
| stats values(week) AS week dc(week) AS dc_week earliest(_time) AS earliest latest(_time) AS latest BY host
| where dc_week=1 AND week="previousweek"
| eval earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"), latest=strftime(latest,"%Y-%m-%d %H:%M:%S")

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...