Splunk Search

How to add a filter in the search to have a fieldvalue newer than a period of choice ?

bagarwal
Path Finder

I am working in a search to filter events to get the application named installed in the system. However, if I remove the application or uninstall it still apears in the event.
There is a field called LastUsedTime and the reason is we are still seeing the events as the logs retention period is for 90 days.

Now, I want a fresh result of the search where application name shall not come if I uninstall the same application from the system.
Can anyone help me to add a filter in the search listing for events having LastUsedTime newer than a period of choice( 1 week, 1 month, etc) or any other workaround for this ?

It would be of great help.

Thanks in advance.

Binay Agarwal

Tags (3)
0 Karma

bagarwal
Path Finder

Hi @tiagofbmm,

Thanks for your information.

Just to clarify , I mean, supposed I have firefox program installed in my system . Now , I am getting in my splunk event when I ran the query and this is expected.
Now, If I remove/uninstall firefox from my system and then search the query , it still appears in the splunk event. The reason I told because of fieldname LastUsedTime and retention for 90 days.

Will your above answer help in this and what it refers to | rest /services/apps/local . Sorry, this is a new concept for me . So thought of asking.

Thanks again for your help.

Binay Agarwal

0 Karma

tiagofbmm
Influencer

Oh sorry I thought you are about to uninstall Splunk Apps. Let me think about it again then

0 Karma

tiagofbmm
Influencer

Hey

You can use the | rest /services/apps/local | dedup label | table label to get you the current situation of installed apps in Splunk.

With that, you can filter whatever you want just from the apps that are installed now.

Let me know if it helps.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...