Splunk Search

How to not Display Data that is less than 10 days old?


Hello all,

I know this has been asked many different ways but, I cant seem to get the search correct. 

I am attempting to "Don't Display Data that is less than 10 days old. I have to set-up a whitelist via a look table, the idea here is we add IP's or URL that show no threat, so want to stop seeing alerts coming in. But - we want to recheck the data again in 10 days.

This is my test search, But it still shows IP or URL's in the lookup table.




| from datamodel:"Threat_Intelligence"."Threat_Activity" 
| search NOT [| inputlookup my_whitelist.csv | fields threat_match_value] 
| where lastSeen>=relative_time(now(),"-10d") AND _time<=now()
| table _time threat_match_value




My look table fields are 


Labels (2)
Tags (1)
0 Karma


What fields are returned by your initial search?

The search NOT line will expand to a set of equalities such as 'threat_match_value = "xyz"' OR 'threat_match_value = "abc"', so unless you have a find in your initial search called threat_match_value, this line is unlikely to perform as you might be expecting

0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...