Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I filter time in a specific field in Search time?

dfigurello
Communicator
‎09-23-2014 09:06 AM

Hi Splunkers,

I need help creating a filter in a specific time field. My search is:

sourcetype=google is_disabled=False | eval n=strptime(accounts_last_login_time, "%Y-%m-%d") | convert timeformat="%d/%m/%Y" ctime(n) AS last_login | table login, last_login

So now, I need a help to create a filter to get users that haven't been logged in the previous 45 days.
(last_login > 45 days).

Any idea?

Cheers!

0 Karma
Reply

ltrand
Contributor
‎09-23-2014 11:42 AM

First you need to quantify the unknown (who are all of the users), or assume some level of inefficiency/error.

So, you could run your search on "All Time" and anything older than 45 days becomes the search criteria, but it's an expensive search and it assumes you have perfect logging and all users have utilized this at least once.

OR!

You need to give it a list of all users. A lookup.csv that is fed into Splunk at some normal interval for indexing and then it can search only within 45 days of current time and then spit out anyone not on the list.

That really is your first challenge since your methodology of determining who is a user will dictate what the search query will look like.

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...