I have some Checkpoint logs (Firewall) that are generating an alert (Data hygiene - events in the future), I would like to know how I can confirm that the logs are arriving with the time in the future because they are coming with the time generated in the Checkpoint(Firewall)
I tried using some SPLs but I don't know if that's right.
Examples:
SPL:
| rest /services/data/indexes
| search title=checkpoint
| search totalEventCount > 0
| eval now=strftime(now(), "%Y-%m-%d")
| stats first(maxTime) as "Earliest Event Time" first(minTime) as "Latest Event Time" first(now) as "Current Date" first(currentDBSizeMB) as currentDBSizeMB by title
| rename title as "Index"
| sort - currentDBSizeMB
| eval "Index Size in GB"= round(currentDBSizeMB/1000,2)
| table Index "Earliest Event Time" "Latest Event Time" "Current Date" "Index Size in GB" updated
=======================================================================
OR this SPL:
index=idx_checkpoint earliest=+5m latest=+10y
| eval criationtimelog=strftime(creation_time,"%Y-%m-%d %H:%M:%S")
| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
| table host _time indextime criationtimelog
Hi @Zarack
You look to be on the right track. Give this a go ...
index=idx_checkpoint earliest=now latest=+10y
| eval indextime=_indextime
,timediff=(_time - indextime)
| where timediff > 60
| eval indextime=strftime(indextime, "%Y-%m-%d %H:%M:%S")
| table host _time indextime timediff
Note, the UI renders _time in a local time format but it's really an epoch time value.
Hope it helps