Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get earliest datetime

poojak2579
Path Finder
‎09-09-2017 06:51 PM

I have a field which contains first_found_date and due to some reason it keeps on changing for some of the assets.

Example:
If an asset "A1" has 3 first_found_date over a period of time:
2017-06-20 22:30:30
2016-05-25 22:30:30
2017-01-25 22:30:30

I want to use earliest first_found(i.e 2016-05-25 22:30:30) in all my reports.
If I use the following query to check the earliest first_found , it takes more than 1 hour to get the value because it has to go through all the records over the period of time.

sourcetype=a
|eval combo = Asset+"_"+ID
|stats min(FIRST_FOUND) as earliest_ff by combo

Is there any way we can correlate the asset with its earliest first_found_date without editing props.conf?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-10-2017 01:30 AM

There are several ways.

Like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=a
| stats earliest(FIRST_FOUND) AS earliest_ff BY Asset ID
| eval combo = Asset+"_"+ID
| table combo earliest_ff

Or this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=a
| reverse
| dedup Asset ID
| eval combo = Asset+"_"+ID
| table combo FIRST_FOUND
| rename FIRST_FOUND AS earliest_ff

View solution in original post

Reply
Solved! Jump to solution

poojak2579
Path Finder
‎09-12-2017 03:29 PM

Let me make it more clear. There are vulnerabilities on the assets.
ID is the Vulnerability Id and First_Found is the date when it was first found on the asset.
Because of some reason there are multiple First_Found for the combination of Asset+Id.
I want to take earliest First_Found and assign it to the combination of Asset+Id.
I have scheduled a query to run everyday which will check Earliest First_Found in last one year and it takes long time to run.
Is there any way we can assign min of First_Found to Asset+Id so that I don't have to run that query over and over again?

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-10-2017 01:30 AM

There are several ways.

Like this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=a
| stats earliest(FIRST_FOUND) AS earliest_ff BY Asset ID
| eval combo = Asset+"_"+ID
| table combo earliest_ff

Or this:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=a
| reverse
| dedup Asset ID
| eval combo = Asset+"_"+ID
| table combo FIRST_FOUND
| rename FIRST_FOUND AS earliest_ff
Reply
Solved! Jump to solution

poojak2579
Path Finder
‎09-12-2017 02:15 PM

Thanks for the reply.
I am already using the first code but it is taking long time to run the query because I have to check million of records with a time range of more than 1 year.
I want to normalize it, assign the min(First_Found) to all the combos at once and then use it everywhere.
Please let me know if there is any other way to do it.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-12-2017 08:56 PM

You will have to make it an index-time field or create an accelerated data model so that you can use tstats. You might also use a summary index.

0 Karma
Reply
Solved! Jump to solution

poojak2579
Path Finder
‎09-13-2017 08:24 AM

I tried accelerated Datamodel and summary index but it didn't work because of some limitations .

https://answers.splunk.com/answers/556349/how-to-join-data-from-two-indexes.html
https://answers.splunk.com/answers/569099/lookup-fields-not-updating-in-the-datamodel.html

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...