Re: Make eval time minutes

troy44112 · ‎03-22-2022

What do I need to add to this search, to make this search | where Need >= 60min

| tstats max(_indextime) AS Late where earliest=-24h latest=now (index=bluff) by sourcetype
| eval CurrentTime=now()
| eval Need = CurrentTime - Late, LastIngestionTime=strftime(Late,"%Y/%m/%d %H:%M:%S %Z"), CurrentTime =strftime(CurrentTime,"%Y/%m/%d %H:%M:%S %Z")
| table sourcetype, LastIngestionTime, CurrentTime, Need
| rename LastIngestionTime as "Last", CurrentTime AS "Search time", Need AS "Latency in Minutes"

venky1544 · ‎03-22-2022

Hi @troy44112

in your query

| eval Need = CurrentTime - Late

since the subtraction is in epoch time format it would give the values in seconds

|eval need = (CurrentTime-late)/60 use something like this to convert it into minutes and then use the where clause need >=60

Hope this helps

venky1544 · ‎03-23-2022

Hi @troy44112

if you think the solution can you please accept the solution whichever was relevant for your use case

karma points are appreciated

gcusello · ‎03-22-2022

Hi @troy44112,

did you tried something like this?

| tstats max(_indextime) AS Late where earliest=-24h latest=now (index=bluff) by sourcetype
| eval CurrentTime=now()
| eval Need = CurrentTime - Late, LastIngestionTime=strftime(Late,"%Y/%m/%d %H:%M:%S %Z"), CurrentTime =strftime(CurrentTime,"%Y/%m/%d %H:%M:%S %Z")
| where Need>=3600
| table sourcetype, LastIngestionTime, CurrentTime, Need
| rename LastIngestionTime as "Last", CurrentTime AS "Search time", Need AS "Latency in Minutes"

Ciao.

Giuseppe

troy44112 · ‎03-22-2022

@gcusello What does the 3600 represent?
I am trying to figure out the calculation.
ie: if I want to change it to 60min, 45min, 90min etc..

gcusello · ‎03-22-2022

Hi @troy44112,

you asked the condition for 60 minutes: 3600 are the seconds in 60 minutes.

time differences are expressed in seconds, so you can find the number to use in the check.

Ciao.

Giuseppe

troy44112 · ‎03-23-2022

@gcusello @venky1544,

When I set the alert it runs off of "current time" search, so results are returned even though there isn't a delay. Would you happen to know how to change this search to if there is a delay of >60min. Rather than subtracting the current time from the last ingestion time?

gcusello · ‎03-23-2022

Hi @troy44112,

Hi did you tried to use a different earliest and latest?

| tstats max(_indextime) AS Late where earliest=-25h@h latest=-h@h (index=bluff) by sourcetype
| eval CurrentTime=now()
| eval Need = CurrentTime - Late, LastIngestionTime=strftime(Late,"%Y/%m/%d %H:%M:%S %Z"), CurrentTime =strftime(CurrentTime,"%Y/%m/%d %H:%M:%S %Z")
| where Need>=3600
| table sourcetype, LastIngestionTime, CurrentTime, Need
| rename LastIngestionTime as "Last", CurrentTime AS "Search time", Need AS "Latency in Minutes"

Ciao.

Giuseppe

troy44112 · ‎03-25-2022

@gcusello ,
It still isn't working. The alert subtracts from whenever the search is ran & the "late" variable, then outputs it as latency. Rather than alerting if there is a delay >60min.

How to make eval time minutes?

search job inspector

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?