Solved: How to create a search that shows if the last seen...

crisp023 · ‎01-08-2020

I've tried a few different things but they don't appear to be working. I have a log that gives out the last day and time a particular software was seen on a machine (host properties last seen).

I want to create a search that shows if the last seen date was greater than 7 days.

Any thoughts on the best way to do this?

Thanks.

BainM · ‎01-08-2020

Hi crisp023-

Try checking one of these:

This one has the simplest solution:
https://answers.splunk.com/answers/22564/finding-last-event.html

A bit more involved:
https://answers.splunk.com/answers/762438/how-to-create-a-list-of-all-indexes-with-source-ho.html
https://answers.splunk.com/answers/332987/how-to-search-the-list-of-devices-that-have-sent-l.html

Hope this helps,
Mike

View solution in original post

BainM · ‎01-08-2020

Hi crisp023-

Try checking one of these:

This one has the simplest solution:
https://answers.splunk.com/answers/22564/finding-last-event.html

A bit more involved:
https://answers.splunk.com/answers/762438/how-to-create-a-list-of-all-indexes-with-source-ho.html
https://answers.splunk.com/answers/332987/how-to-search-the-list-of-devices-that-have-sent-l.html

Hope this helps,
Mike

How to create a search that shows if the last seen date was greater than 7 days

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How to create a search that shows if the last seen date was greater than 7 days

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!