Solved: How to create a search that shows if the last seen... - Splunk Community

Splunk Enterprise Security

I've tried a few different things but they don't appear to be working. I have a log that gives out the last day and time a particular software was seen on a machine (host properties last seen).

I want to create a search that shows if the last seen date was greater than 7 days.

Any thoughts on the best way to do this?

Thanks.

1 Solution

Solution

Hi crisp023-

Try checking one of these:

This one has the simplest solution:
https://answers.splunk.com/answers/22564/finding-last-event.html

A bit more involved:
https://answers.splunk.com/answers/762438/how-to-create-a-list-of-all-indexes-with-source-ho.html
https://answers.splunk.com/answers/332987/how-to-search-the-list-of-devices-that-have-sent-l.html

Hope this helps,
Mike

View solution in original post

Solution

Hi crisp023-

Try checking one of these:

This one has the simplest solution:
https://answers.splunk.com/answers/22564/finding-last-event.html

A bit more involved:
https://answers.splunk.com/answers/762438/how-to-create-a-list-of-all-indexes-with-source-ho.html
https://answers.splunk.com/answers/332987/how-to-search-the-list-of-devices-that-have-sent-l.html

Hope this helps,
Mike

View solution in original post

never-displayed

Additional options

Associated Products