Splunk Search

How to see only the events where "firstSeen" is within the last 7 days?

marceldera
Explorer

I have this dataset in SPlunk,  I am trying to see only the events where "firstSeen" is within the last 7 days.

I tried to | where firstSeen<7d  but that didn't work also.

state Age dnsName firstSeen ip lastSeen severity pluginID
open 32.49 28-Nov-22  28-Nov-22  10.102.10.1 29-Nov-22 informational 10180
open 1 Cat  28-Nov-22 10.102.1.23 29-Nov-22 informational 11219
open 34.06   22-Nov-22   29-Nov-22 informational 19506
open 5.6 Dog  23-Nov-22   28-Nov-22 informational 168007
open 22.65 Lion 6-Nov-22   28-Nov-22 informational 166958
open 31.64 tiger 28-Oct-22   28-Nov-22 informational 166602
open 120.63 giraf 25-Nov-22   28-Nov-22 informational 163588
open 68.47 leap 21-Sep-22   28-Nov-22 informational 163489
open 68.47 big dog 21-Sep-22   28-Nov-22 informational 163488
Labels (1)
0 Karma

marceldera
Explorer

This is the query that i used, it is returning no results

index=tenable* sourcetype="*" | where pluginID <1000000
| eval firstSeen=strftime(firstSeen, "%m/%d/%Y %H:%M:%S")
| eval lastSeen=strftime(lastSeen, "%m/%d/%Y %H:%M:%S")
| eval discovery = strptime(lastSeen, "%m/%d/%Y %H:%M:%S") - strptime(firstSeen, "%m/%d/%Y %H:%M:%S")
| eval Age = round(discovery / 86400, 2)
| eval firstSeen =strftime(strptime(firstSeen,"%m/%d/%Y %H:%M:%S"),"%d-%B-%y")
| eval lastSeen =strftime(strptime(lastSeen,"%m/%d/%Y %H:%M:%S"),"%d-%B-%y")
| dedup pluginID
| where firstSeen>now()-7*86400
| table State Age dnsName firstSeen ip lastSeen severity pluginID

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Purely based on your sample code, there are several mistakes; the most serious one is to trying to calculate numeric value based on output from strftime which is a string.

If I take blind faith in your code, I'd modify it to

index=tenable* sourcetype="*" | where pluginID <1000000
| dedup pluginID
| eval discovery = lastSeen - firstSeen
| eval Age = round(discovery / 86400, 2)
| where relative_time(firstSeen, "+7d") < now()
| fieldformat firstSeen =strftime(firstSeen,"%d-%B-%y")
| fieldformat lastSeen =strftime(lastSeen,"%d-%B-%y")
| table State Age dnsName firstSeen ip lastSeen severity pluginID
0 Karma

yuanliu
SplunkTrust
SplunkTrust

How is it that your "dataset" contains a field "Age" but you are also calculating it based on a field that doesn't exist in your dataset, namely "lastSeen"?  Is that table what is output, not what is your dataset?

Without knowing what your raw data looks like, no one can tell you what to expect.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

It's hard to be certain from this table but the firstSeen will most probably be a string. You have to parse it with strptime to a nummerical timestamp. Then you simply filter with

| where your_timestamp>now()-7*86400
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...