How to view creation time logs compare with index ...

Zarack · ‎03-23-2023

I have some Checkpoint logs (Firewall) that are generating an alert (Data hygiene - events in the future), I would like to know how I can confirm that the logs are arriving with the time in the future because they are coming with the time generated in the Checkpoint(Firewall)

I tried using some SPLs but I don't know if that's right.

Examples:

SPL:

| rest /services/data/indexes
| search title=checkpoint
| search totalEventCount > 0
| eval now=strftime(now(), "%Y-%m-%d")
| stats first(maxTime) as "Earliest Event Time" first(minTime) as "Latest Event Time" first(now) as "Current Date" first(currentDBSizeMB) as currentDBSizeMB by title
| rename title as "Index"
| sort - currentDBSizeMB
| eval "Index Size in GB"= round(currentDBSizeMB/1000,2)
| table Index "Earliest Event Time" "Latest Event Time" "Current Date" "Index Size in GB" updated

=======================================================================
OR this SPL:
index=idx_checkpoint earliest=+5m latest=+10y
| eval criationtimelog=strftime(creation_time,"%Y-%m-%d %H:%M:%S")
| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
| table host _time indextime criationtimelog

yeahnah · ‎03-23-2023

Hi @Zarack

You look to be on the right track. Give this a go ...

index=idx_checkpoint earliest=now latest=+10y
| eval indextime=_indextime
      ,timediff=(_time - indextime)
| where timediff > 60 
| eval indextime=strftime(indextime, "%Y-%m-%d %H:%M:%S")
| table host _time indextime timediff

Note, the UI renders _time in a local time format but it's really an epoch time value.

Hope it helps

How to view creation time logs compare with index time and timestamp?

other

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup