Monitoring Splunk

How to edit search string for date?


Hello fellow Splunkers. I need a little help with an issue I am having with one of my dashboards.  Im sure its a simple fix but am having a tough time figuring out the correct way to do it.  A little background, we created a dashboard to check the status of connected forwarders for our auditing purposes. With the new infrastructure we have a VDI setup that spins up a new hostname when a new user logs in.  This results in our dashboard having a bunch of different forwarders showing as offline. I want to add in to the search to get everything that hasnt reported into the dashboard in the past 5 days to not be pulled into the chart. the search string is below, the time I am would like to filter off of is the last_phone_home. Thanks for any help you can provide!


| inputlookup hosts.csv
| table *
| join max=0 [| rest splunk_server=local /services/deployment/server/clients
| fields - applications.* serverClasses.* eai* splunk_server author id title
| collect index=summary addtime=true marker="dataset=deployment_server_clients"
| eval diff=now()-lastPhoneHomeTime
| eval status=if(diff>120, "Connection Failed", "Connection Successful")
| rename hostname as host]
| rename utsname as platform
| eval last_phone_home=strftime(lastPhoneHomeTime, "%F - %T")
| eval hostname=lower(hostname)
| eval last_hourly_check=strftime(last_hourly_check, "%F - %T")
| table host platform ip splunkVersion last_phone_home status
| sort status
| dedup host 


You can create a lookup of uf connections to your Splunk instance.

Here's an example of something that I've used:

index=_internal sourcetype=splunkd group=tcpin_connections version=* os=* arch=* build=* hostname=* source=*metrics.log earliest=-1h@h
| stats latest(_time) as _time latest(version) as version,latest(arch) as arch,latest(os) as os,latest(build) as build latest(fwdType) AS type latest(sourceIp) AS src_ip by hostname
| eval last_seen_epoch=_time | eval last_seen_date=strftime(_time,"%Y-%m-%d")
| eval nt_host=UPPER(hostname)
| append [| inputlookup splunk_forwarder_client_version_lookup.csv]
| dedup nt_host
| eval last_seen_age = ROUND((now()-last_seen_epoch)/86400, 0)
| where last_seen_age < 31
| table nt_host arch os build version type src_ip last_seen_age last_seen_date last_seen_epoch
| outputlookup splunk_forwarder_client_version_lookup.csv




you should check relative_date function to get correct day. And when you are comparing those date, it's better to convert those first to epoch (strptime). Later convert back to human readable format if needed.

BUT I think that there is issue when you are using rest to get these UFs. Rest shows only those clients which has connected e.g. after you have reload deployment server configuration etc. I expecting that you are try to fix this issue with your inputlookup and summary index and probably this is fixing that? Another way is look those nodes from _internal index. Just look e.g. component=DC* or Deploy* and you will get a list of nodes which has connected to earlier to your DS.

r. Ismo

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...