Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Help with search for specific dates?

AL3Z
Builder
‎01-30-2023 09:42 AM

Hi,

Could you help me in editing the below search 

index=test sourcetype="centino" | stats count, values(change_asset) as changed_asset, values(brief) as description, values(severity) as severity, values(exploitation_method) as exploitation_method, values(first_find) as first_find, values(last_find) as last_find,  , values(systems) as system by id.

1. In the below output of fields we need to display only the date 2023-01-22 

first_find                                                 last_find

AL3Z_0-1675099386157.jpeg

2. Instead of receiving all the notifications we require, if today's date matches the first _find or the last_find, raise an alert
*todays date will change every day do not bound that with actual todays date*

Thanks...

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-30-2023 10:57 AM

There are a few ways to reduce the timestamp to just the date.  The substr() function may be the easiest.

Use the now() function to get the current timestamp and the strftime() function to convert it into the same format as first_find and last_find.  Then the where command can compare them and only show events from today.

index=test sourcetype="issues" 
| eval first_find=substr(first_find, 1, 10), last_find=substr(last_find, 1, 10)
| stats count, values(change_asset) as changed_asset, values(brief) as description, values(severity) as severity, values(exploitation_method) as exploitation_method, values(first_find) as first_find, values(last_find) as last_find,  , values(systems) as system by id
| eval today = strftime(now(), "%Y-%m-%d")
| where (match(first_find, today) OR match(last_find, today))

Note that this query may not work properly if first_find and last_find are multi-value fields.

 

---
If this reply helps you, Karma would be appreciated.
Reply

AL3Z
Builder
‎01-30-2023 04:14 PM

@richgalloway 

@itwishperer
@

Hi,

what if we have a multi valued fields,could you  pls make a search according to that 

 

Thanks..

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-31-2023 07:52 AM

The concept of more than one "first" or "last" anything baffles me so here is a query that eliminates mutli-value firsts and lasts.

index=test sourcetype="issues" 
| eval first_find=substr(first_find, 1, 10), last_find=substr(last_find, 1, 10)
| stats count, values(change_asset) as changed_asset, values(brief) as description, values(severity) as severity, values(exploitation_method) as exploitation_method, earliest(first_find) as first_find, latest(last_find) as last_find, values(systems) as system by id
| eval today = strftime(now(), "%Y-%m-%d")
| where (match(first_find, today) OR match(last_find, today))
---
If this reply helps you, Karma would be appreciated.
Reply

AL3Z
Builder
‎02-20-2023 06:24 AM

@richgalloway 

this search is not raising any alerts, what could be the problem, the first find and last time fields time in events looks like UTC time, do we need to normalise to IST to get it match if so how we can normalise it.
thnks.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-20-2023 12:03 PM

Normalize timestamps by using the strptime function to convert them into internal (epoch) form.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AL3Z
Builder
‎01-31-2023 11:21 PM

@richgalloway 

Hi,

This query is same as first query.

What the difference ?

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-01-2023 05:29 AM

The difference is the second query uses earliest and latest instead of values for the first_find and last_find fields to avoid multi-value results.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...