Splunk queries

revanthammineni · ‎03-01-2021

Hi Splunkers,

I"m working on a report where I have to write report on hosts that are not reported for a week.

I used metadata to get all the hosts last reported time.

Example:

time                                    host
1/3/2021                          a1
1/3/2021                          b1
28/2/2021                       c1
27/2/2021                       d1
24/2/2021                       e1
22/2/2021                        f1
22/2/2021                        g1

How can I edit the field time to report hosts on 22/2/2021 (f1 and g1) ? Your answer would be helpful

Thanks in advance.

richgalloway · ‎03-01-2021

First, we need to convert the time field to epoch form so we can compare it. Then we'll compare that value to the epoch time for 7 days ago, which we create using the relative_time function.

... | eval etime=strptime(time, "%d/%m/%Y"), sevenDaysAgo=relative_time(now(), "-7d")
| where etime < sevenDaysAgo

---
If this reply helps you, Karma would be appreciated.

Splunk queries

monitor

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

Splunk queries

monitor

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions