Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to view creation time logs compare with index time and timestamp?

Zarack
Engager
‎03-23-2023 05:39 AM

I have some Checkpoint logs (Firewall) that are generating an alert (Data hygiene - events in the future), I would like to know how I can confirm that the logs are arriving with the time in the future because they are coming with the time generated in the Checkpoint(Firewall)

Zarack_1-1679574804660.png

I tried using some SPLs but I don't know if that's right.

Examples:

SPL:

| rest /services/data/indexes
| search title=checkpoint
| search totalEventCount > 0
| eval now=strftime(now(), "%Y-%m-%d")
| stats first(maxTime) as "Earliest Event Time" first(minTime) as "Latest Event Time" first(now) as "Current Date" first(currentDBSizeMB) as currentDBSizeMB by title
| rename title as "Index"
| sort - currentDBSizeMB
| eval "Index Size in GB"= round(currentDBSizeMB/1000,2)
| table Index "Earliest Event Time" "Latest Event Time" "Current Date" "Index Size in GB" updated

=======================================================================
OR this SPL:
index=idx_checkpoint earliest=+5m latest=+10y
| eval criationtimelog=strftime(creation_time,"%Y-%m-%d %H:%M:%S")
| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
| table host _time indextime criationtimelog


0 Karma
Reply

yeahnah
Motivator
‎03-23-2023 07:06 PM

Hi @Zarack

You look to be on the right track.  Give this a go ...

index=idx_checkpoint earliest=now latest=+10y
| eval indextime=_indextime
      ,timediff=(_time - indextime)
| where timediff > 60 
| eval indextime=strftime(indextime, "%Y-%m-%d %H:%M:%S")
| table host _time indextime timediff

Note, the UI renders _time in a local time format but it's really an epoch time value.

Hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...