Can you help me display a field date based on the ...

jip31 · ‎11-30-2018

Hello

In the query below I want to display the LasLogon and LastReboot fields from the following date conditions:

I just want to display a result if LastLogon < 2 days from the current day and if LastReboot >10 days from the current day

Could you help me please??

index="ai-wkst-windows-wmi-fr" (sourcetype="WMI:LastLogon" OR sourcetype="WMI:LastReboot") 
| eval LastLogon = strftime(strptime(LastLogon,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M") 
| rex field=LastLogon mode=sed "s/\..*$//" 
| eval LastBootUpTime = strftime(strptime(LastBootUpTime,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M") 
| rex field=LastBootUpTime mode=sed "s/\..*$//" 
| append 
    [ search index="ai-wkst-windows-fr" sourcetype="tools:flags" filename="hty" 
    | dedup host] 
| stats latest(LastLogon) as LastLogon, latest(LastBootUpTime) as LastReboot by host

493669 · ‎11-30-2018

First convert LastLogon and LastBootUpTime time into epoch.
Then using relative_time function find second last day and next 10 days epoch value
lastly compare these epoch values

| eval LastLogon = strptime(LastLogon,"%Y%m%d%H%M%S")
| eval LastBootUpTime = strptime(LastBootUpTime,"%Y%m%d%H%M%S")
| eval secondlastday=relative_time(now(), "-2d@d")
| eval nexttendays=relative_time(now(), "10d@d")
| where (LastLogon <secondlastday) AND (LastBootUpTime >nexttendays)

jip31 · ‎11-30-2018

perfect thanks!

jip31 · ‎01-03-2019

Hi

I am surprised to have no results even if I play with relative time et even if normally I should have results could you please tell me if the entire request is good please??

index="ai-wkst-windows-wmi-fr" (sourcetype="WMI:LastLogon" OR sourcetype="WMI:LastReboot") 
 | eval LastLogon = strptime(LastLogon,"%Y%m%d%H%M%S")
 | eval LastBootUpTime = strptime(LastBootUpTime,"%Y%m%d%H%M%S") 
 | eval secondlastday=relative_time(now(), "-2d@d")
 | eval nexttendays=relative_time(now(), "10d@d") 
 | where (LastLogon < secondlastday) AND (LastBootUpTime > nexttendays)

| stats latest(LastLogon) as LastLogon, latest(LastBootUpTime) as LastReboot by host

jip31 · ‎01-04-2019

now i wrothe this :

index="ai-wkst-windows-wmi-fr" (sourcetype="WMI:LastLogon" OR sourcetype="WMI:LastReboot") 
| eval LastLogon = strptime(LastLogon,"%Y%m%d%H%M%S") 
| eval LastBootUpTime = strptime(LastBootUpTime,"%Y%m%d%H%M%S") 
| eval secondlastday=relative_time(now(), "-2d@d") 
| eval nexttendays=relative_time(now(), "+10d@d") 
| where (LastLogon < secondlastday) AND (LastBootUpTime >nexttendays)
| eval LastLogon = strftime(LastLogon,"%d-%m-%Y %H:%M:%S") 
| eval LastBootUpTime = strftime(LastLogon,"%d-%m-%Y %H:%M:%S") 
| stats latest(LastLogon) as LastLogon, latest(LastBootUpTime) as LastReboot by host 
| sort -LastLogon

but I think there is an issue in the relative time calculation
for example with | eval secondlastday=relative_time(now(), "-2d@d"), I just want to have the events included between today and 2 days before but i think that with your code I have the events which exists from 2 day before the now() until the end
is it exact??

Can you help me display a field date based on the following conditions?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation