Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find out the first occurrence of an event with a search?

jmcaloon
Explorer
‎02-23-2017 02:22 PM

Currently I am trying to figure out a way to pull the first time an event occurred. Specifically when one of our programs check in for the first time with the latest update.

Currently I can pull the most recent event, but it would be better for troubleshooting to pull the first event if an issue occurred due to a new version.

Here is the current code I have:

ComputerName= * event_platform=Win| spath event_simpleName | search event_simpleName=SensorHeartbeat| spath ConfigBuild | search ConfigBuild!="(Whatever Verison its on)"|dedup ComputerName

What I would like it to do is to pull the first time the computer checked in with a version of config build. I tried using the stats command, but had no luck. Any suggestions?

Thank you,
Jack

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎02-23-2017 02:29 PM

The spath command is going to be extracting data from a json or html field called ConfigBuild.

Try this and inspect the event returned in order to see what the name of the version field is.

ComputerName= * event_platform=Win index=myindex
| spath event_simpleName 
| search event_simpleName=SensorHeartbeat
| spath ConfigBuild 
| head 1

Let's assume the name is something like "myversion"

ComputerName= * event_platform=Win index=myindex
| spath event_simpleName 
| search event_simpleName=SensorHeartbeat
| spath ConfigBuild 
| stats earliest(_time) as FirstBuild latest(_time) as LastBuild by ComputerName myversion
| eval FirstBuild=strftime(FirstBuild,"%Y-%m-%d %H:%M:%S")
| eval LastBuild=strftime(LastBuild,"%Y-%m-%d %H:%M:%S")
| sort 0 ComputerName -LastBuild

That should give you a table of the first and last times that each particular build was present on each particular computer. Personally, I would not limit the search to the most recent version, since it might be relevant what version it was upgraded from, as well.

And, one more little filigree here. If you want only one computer, obviously you'd put it in place of the the * above. But if you want a small list, then you can do it this way -

ComputerName= * event_platform=Win index=myindex
 [|makeresults | eval ComputerName="name1 name2 name3 name4" | makemv ComputerName | mvexpand ComputerName | table ComputerName]
 | spath event_simpleName 
 | search event_simpleName=SensorHeartbeat
 | spath ConfigBuild 
 | stats earliest(_time) as FirstBuild latest(_time) as LastBuild by ComputerName myversion
 | eval FirstBuild=strftime(FirstBuild,"%Y-%m-%d %H:%M:%S")
 | eval LastBuild=strftime(LastBuild,"%Y-%m-%d %H:%M:%S")
 | sort 0 ComputerName -LastBuild

If you wanted a large list, then you'd probably use a join to a loadcsv.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-23-2017 02:32 PM

Did you try ComputerName= * event_platform=Win| spath event_simpleName | search event_simpleName=SensorHeartbeat| spath ConfigBuild | search ConfigBuild!="(Whatever Version its on)"|dedup ComputerName | stats earliest(Version) by ComputerName ?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎02-23-2017 02:29 PM

The spath command is going to be extracting data from a json or html field called ConfigBuild.

Try this and inspect the event returned in order to see what the name of the version field is.

ComputerName= * event_platform=Win index=myindex
| spath event_simpleName 
| search event_simpleName=SensorHeartbeat
| spath ConfigBuild 
| head 1

Let's assume the name is something like "myversion"

ComputerName= * event_platform=Win index=myindex
| spath event_simpleName 
| search event_simpleName=SensorHeartbeat
| spath ConfigBuild 
| stats earliest(_time) as FirstBuild latest(_time) as LastBuild by ComputerName myversion
| eval FirstBuild=strftime(FirstBuild,"%Y-%m-%d %H:%M:%S")
| eval LastBuild=strftime(LastBuild,"%Y-%m-%d %H:%M:%S")
| sort 0 ComputerName -LastBuild

That should give you a table of the first and last times that each particular build was present on each particular computer. Personally, I would not limit the search to the most recent version, since it might be relevant what version it was upgraded from, as well.

And, one more little filigree here. If you want only one computer, obviously you'd put it in place of the the * above. But if you want a small list, then you can do it this way -

ComputerName= * event_platform=Win index=myindex
 [|makeresults | eval ComputerName="name1 name2 name3 name4" | makemv ComputerName | mvexpand ComputerName | table ComputerName]
 | spath event_simpleName 
 | search event_simpleName=SensorHeartbeat
 | spath ConfigBuild 
 | stats earliest(_time) as FirstBuild latest(_time) as LastBuild by ComputerName myversion
 | eval FirstBuild=strftime(FirstBuild,"%Y-%m-%d %H:%M:%S")
 | eval LastBuild=strftime(LastBuild,"%Y-%m-%d %H:%M:%S")
 | sort 0 ComputerName -LastBuild

If you wanted a large list, then you'd probably use a join to a loadcsv.

Reply
Solved! Jump to solution

jmcaloon
Explorer
‎02-24-2017 07:45 AM

These suggestions got me to exactly what I needed. Thank you !

Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-24-2017 08:43 AM

You are quite welcome!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...