Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to not Display Data that is less than 10 days old?

IndyJones1345
Observer
‎08-30-2022 07:39 AM

Hello all,

I know this has been asked many different ways but, I cant seem to get the search correct. 

I am attempting to "Don't Display Data that is less than 10 days old. I have to set-up a whitelist via a look table, the idea here is we add IP's or URL that show no threat, so want to stop seeing alerts coming in. But - we want to recheck the data again in 10 days.

This is my test search, But it still shows IP or URL's in the lookup table.

 

 

 

| from datamodel:"Threat_Intelligence"."Threat_Activity" 
| search NOT [| inputlookup my_whitelist.csv | fields threat_match_value] 
| where lastSeen>=relative_time(now(),"-10d") AND _time<=now()
| table _time threat_match_value

 

 

 

My look table fields are 

uc.png

Labels (2)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-30-2022 08:01 AM

What fields are returned by your initial search?

The search NOT line will expand to a set of equalities such as 'threat_match_value = "xyz"' OR 'threat_match_value = "abc"', so unless you have a find in your initial search called threat_match_value, this line is unlikely to perform as you might be expecting

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...