Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Enterprise
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Re: How to count dates of a field that are over no...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UMDTERPS
Communicator
06-19-2020
01:07 PM
I have a CSV that looks like the following:
| Organization | System | Scan Due Date | |
| ABC | Jack | 7-Feb-21 | |
| ABC | Jill | 9-May-20 | |
| 123 | Bob | Unspecified | |
| 123 | Alice | Unspecified | |
| 456 | James | 10-Jan-21 |
How do I do a count of the " Scan Due Date Field" that shows all of the events that are Overdue, Not Expired, and Unspecified? ( I want to eventually want to put the results of that search into a pie chart.
Any help is appreciated!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
06-19-2020
05:11 PM
sample:
| makeresults
| eval _raw="Organization,System,Scan_Due_Date
ABC,Jack,1418459200
ABC,Jill,1593547277
123,Bob,Unspecified
123,Alicez,Unspecified
456,James,1625083277"
| multikv forceheader=1
| table Organization,System,Scan_Due_Date
| rename COMMENT as "the logic"
| eval status=case(Scan_Due_Date >= now(),"Not Expired",Scan_Due_Date="Unspecified",Scan_Due_Date,true(),"Overdue")
| stats count by statustry Visualization >> Pie Chart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
06-19-2020
05:11 PM
sample:
| makeresults
| eval _raw="Organization,System,Scan_Due_Date
ABC,Jack,1418459200
ABC,Jill,1593547277
123,Bob,Unspecified
123,Alicez,Unspecified
456,James,1625083277"
| multikv forceheader=1
| table Organization,System,Scan_Due_Date
| rename COMMENT as "the logic"
| eval status=case(Scan_Due_Date >= now(),"Not Expired",Scan_Due_Date="Unspecified",Scan_Due_Date,true(),"Overdue")
| stats count by statustry Visualization >> Pie Chart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UMDTERPS
Communicator
06-24-2020
11:00 AM
| inputlookup scan_due_date.csv
| eval date = strptime('Scan Date', "%d-%b-%Y")
| eval duedate = if(isnull(date) OR date="", "Unspecified", date)
| eval status=case(duedate >= now(),"Not Expired",duedate="Unspecified",duedate true(),"Overdue")
| fields date duedate status
| stats count by status
Okay, figured it out. I had to convert the date using strptime using a capital "%Y" (Capital "%Y" is needed to convert "2020", lowercase "%y" would only work with "20"). Because striptime fills in "Unspecified" with blanks/null values, I had to do an eval "if" statement to fill in the blanks strptime created with "Unspecified" to bring it back.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UMDTERPS
Communicator
06-22-2020
12:22 PM
I put a strptime in and got it partially working:
| inputlookup scan_due_date.csv
| eval date = strptime('Scan Date', "%d-%b-%y")
| eval status=case(date >= now(),"Not Expired",date="Unspecified",date true(),"Overdue")
| stats count by status
However, it's not counting the "Unspecified" field values.
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
06-19-2020
02:05 PM
How do you define "Overdue" and "Not Expired"?
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UMDTERPS
Communicator
06-22-2020
09:39 AM
Overdue (Expired) means the "Scan Due Date" is a past date.
Not-Expired means the "Scan Due Date" is a date sometime in the future.
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
