Monitoring Splunk

List searches searching old events

ktn01
Path Finder

Hello

Is it a way to find how much searches are searching events older than 2 years?

I need this information to evaluate the impact if I set the "tsidx retention policy" to two years.

Thanks

Labels (2)
Tags (1)
0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

Hi @ktn01 ,

 

You could try something like this:

index=_audit TERM(action=search) TERM(info=completed)
| where search_et <= relative_time(now(), "-2y")
| table _time, user, search_et, search
| eval earliest=strftime(search_et, "%Y-%m-%dT%H:%M:%S")
| sort limit=0 search_et

 

 

Or if you want to be more precise you can use the difference between execution time and earliest time and return those greater than 2 years:

index=_audit TERM(action=search) TERM(info=completed)
| eval diffInYears = (exec_time-search_et)/(365*86400)
| where diffInYears > 2
| table _time, user, search_et, exec_time, diffInYears, search
| eval earliest=strftime(search_et, "%Y-%m-%dT%H:%M:%S")
| eval executionTime=strftime(exec_time, "%Y-%m-%dT%H:%M:%S")
| sort limit=0 search_et

Regards,

J

View solution in original post

javiergn
SplunkTrust
SplunkTrust

Hi @ktn01 ,

 

You could try something like this:

index=_audit TERM(action=search) TERM(info=completed)
| where search_et <= relative_time(now(), "-2y")
| table _time, user, search_et, search
| eval earliest=strftime(search_et, "%Y-%m-%dT%H:%M:%S")
| sort limit=0 search_et

 

 

Or if you want to be more precise you can use the difference between execution time and earliest time and return those greater than 2 years:

index=_audit TERM(action=search) TERM(info=completed)
| eval diffInYears = (exec_time-search_et)/(365*86400)
| where diffInYears > 2
| table _time, user, search_et, exec_time, diffInYears, search
| eval earliest=strftime(search_et, "%Y-%m-%dT%H:%M:%S")
| eval executionTime=strftime(exec_time, "%Y-%m-%dT%H:%M:%S")
| sort limit=0 search_et

Regards,

J

ktn01
Path Finder

Thanks for your help

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...