- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to search for duration between events?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, Splunkers friends,
I need your support; I have a script running on Splunk once at a day, it brings me password last update information on the servers, for example: "Thu Jun 20 17:52:55 2019".
What I need to know is calculation the days that have passed since the last password change,
for example: "this user has not changed the password for the last 7 days, 6 days, 1 day" etc, like a traffic light.
Is there a way to calculate that on a search having this information?
Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @julian0125,
Yeap, totally possible. Try this search :
| makeresults
| eval timeField="Thu Jun 20 17:52:55 2019"
| eval epochTimeField=strptime(timeField, "%c")
| eval timeNow=now()
| eval TimeSincePasswordChangeInSeconds=tostring(timeNow-epochTimeField,"duration")
Hope that helps.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This will need some adjustment
index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo
| rex "(?<TimeLastUpdatePW>\w{3}\s\w{3}\s\d+\s\d+:\d+:\d+\s=d{4})"
| eval TimeLastUpdatePW=strptime(TimeLastUpdatePW, "%a %b %d %H:%M:%S %Y")
| eval ago = TimeLastUpdatePW - now()
| eval ago = tostring(ago, "duration")
| eval Message = "This user has not changed the password for the last " . ago
| table Message
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @julian0125,
Yeap, totally possible. Try this search :
| makeresults
| eval timeField="Thu Jun 20 17:52:55 2019"
| eval epochTimeField=strptime(timeField, "%c")
| eval timeNow=now()
| eval TimeSincePasswordChangeInSeconds=tostring(timeNow-epochTimeField,"duration")
Hope that helps.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @DavidHourani
Hi, Thanks for your help, i have a field named: "Last_Update" where i recieved all info date like: "Thu Jun 20 17:52:55 2019", is there a way to do it automatically insted of putting manually the date? to know all of them
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Try below search
<yourBaseSearch>
| eval diff=tostring(now() - strptime(<yourDateTimefield>, "%a %b %d %H:%M:%S %Y"), "duration")
Below is run anywhere search
| makeresults
| eval date="Thu Jun 20 17:52:55 2019"
| eval diff=tostring(now() - strptime(date, "%a %b %d %H:%M:%S %Y"), "duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Thanks for your help, i have a field named: "Last_Update" where i recieved all info date, is there a way to do it automatically insted of putting manually the date: "Thu Jun 20 17:52:55 2019"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so your search will be
<yourBaseSearch>
| eval diff=tostring(now() - strptime(Last_Update, "%a %b %d %H:%M:%S %Y"), "duration")
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
