Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Help with search for specific dates?

AL3Z
Builder
‎01-30-2023 09:42 AM

Hi,

Could you help me in editing the below search 

index=test sourcetype="centino" | stats count, values(change_asset) as changed_asset, values(brief) as description, values(severity) as severity, values(exploitation_method) as exploitation_method, values(first_find) as first_find, values(last_find) as last_find,  , values(systems) as system by id.

1. In the below output of fields we need to display only the date 2023-01-22 

first_find                                                 last_find

AL3Z_0-1675099386157.jpeg

2. Instead of receiving all the notifications we require, if today's date matches the first _find or the last_find, raise an alert
*todays date will change every day do not bound that with actual todays date*

Thanks...

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-30-2023 10:57 AM

There are a few ways to reduce the timestamp to just the date.  The substr() function may be the easiest.

Use the now() function to get the current timestamp and the strftime() function to convert it into the same format as first_find and last_find.  Then the where command can compare them and only show events from today.

index=test sourcetype="issues" 
| eval first_find=substr(first_find, 1, 10), last_find=substr(last_find, 1, 10)
| stats count, values(change_asset) as changed_asset, values(brief) as description, values(severity) as severity, values(exploitation_method) as exploitation_method, values(first_find) as first_find, values(last_find) as last_find,  , values(systems) as system by id
| eval today = strftime(now(), "%Y-%m-%d")
| where (match(first_find, today) OR match(last_find, today))

Note that this query may not work properly if first_find and last_find are multi-value fields.

 

---
If this reply helps you, Karma would be appreciated.
Reply

AL3Z
Builder
‎01-30-2023 04:14 PM

@richgalloway 

@itwishperer
@

Hi,

what if we have a multi valued fields,could you  pls make a search according to that 

 

Thanks..

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-31-2023 07:52 AM

The concept of more than one "first" or "last" anything baffles me so here is a query that eliminates mutli-value firsts and lasts.

index=test sourcetype="issues" 
| eval first_find=substr(first_find, 1, 10), last_find=substr(last_find, 1, 10)
| stats count, values(change_asset) as changed_asset, values(brief) as description, values(severity) as severity, values(exploitation_method) as exploitation_method, earliest(first_find) as first_find, latest(last_find) as last_find, values(systems) as system by id
| eval today = strftime(now(), "%Y-%m-%d")
| where (match(first_find, today) OR match(last_find, today))
---
If this reply helps you, Karma would be appreciated.
Reply

AL3Z
Builder
‎02-20-2023 06:24 AM

@richgalloway 

this search is not raising any alerts, what could be the problem, the first find and last time fields time in events looks like UTC time, do we need to normalise to IST to get it match if so how we can normalise it.
thnks.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-20-2023 12:03 PM

Normalize timestamps by using the strptime function to convert them into internal (epoch) form.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AL3Z
Builder
‎01-31-2023 11:21 PM

@richgalloway 

Hi,

This query is same as first query.

What the difference ?

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-01-2023 05:29 AM

The difference is the second query uses earliest and latest instead of values for the first_find and last_find fields to avoid multi-value results.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...