Solved: How to create a search that shows if the last seen... - Splunk Community

Splunk Enterprise Security

I've tried a few different things but they don't appear to be working. I have a log that gives out the last day and time a particular software was seen on a machine (host properties last seen).

I want to create a search that shows if the last seen date was greater than 7 days.

Any thoughts on the best way to do this?

Thanks.

1 Solution

Solution

Hi crisp023-

Try checking one of these:

This one has the simplest solution:
https://answers.splunk.com/answers/22564/finding-last-event.html

A bit more involved:
https://answers.splunk.com/answers/762438/how-to-create-a-list-of-all-indexes-with-source-ho.html
https://answers.splunk.com/answers/332987/how-to-search-the-list-of-devices-that-have-sent-l.html

Hope this helps,
Mike

View solution in original post

Solution

Hi crisp023-

Try checking one of these:

This one has the simplest solution:
https://answers.splunk.com/answers/22564/finding-last-event.html

A bit more involved:
https://answers.splunk.com/answers/762438/how-to-create-a-list-of-all-indexes-with-source-ho.html
https://answers.splunk.com/answers/332987/how-to-search-the-list-of-devices-that-have-sent-l.html

Hope this helps,
Mike

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024 | 11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...