Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

PCs not scanned for more than 3 days

numeroinconnu12
Path Finder
‎10-20-2021 01:04 AM

Hello,

This is my request:

 

 

index=antivirus
    | stats values(SAVVersion) as SAVVersion, values(EngineVersion) as EngineVersion ,values(VirusDataVersion) as VirusDataVersion,  max(LastMessageTime) as LastMessageTime, max(LastScanDateTime) as LastScanDateTime by Name
    | sort LastScanDateTime
    | eval diff=round((Now() - LastScanDateTime)/60/60/24)
    | eval "active the last seven days ?"=if(round((Now() - LastMessageTime)/60/60/24)>7,"NO","YES")
    | where (diff > 3) OR isnull(diff)
    | fillnull value="-"
    | sort - "active the last seven days ?" - diff

 

 

I would like to have only the PCs(Name) not scanned (LastScanDateTime) for more than three days, but my request does not work, it returns all the PCs. Can you please help me?
sorry for my english

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

numeroinconnu12
Path Finder
‎10-20-2021 01:37 AM

Thank you @PickleRick 

my correction, it's work

index=antivirus
    | eval lmt=strptime(LastMessageTime,"%m/%d/%Y %H:%M:%S")
    | eval lst=strptime(LastScanDateTime,"%m/%d/%Y %H:%M:%S")
    | stats values(SAVVersion) as SAVVersion, values(EngineVersion) as EngineVersion ,values(VirusDataVersion) as VirusDataVersion,  max(lmt) as LastMessageTime, max(lst) as LastScanDateTime by Name
    | sort LastScanDateTime
    | eval diff=round((Now() - LastScanDateTime)/60/60/24)
    | eval "active in the last 7 days ?"=if(round((Now() - LastMessageTime)/60/60/24)>7,"NO","YES")
    | eval LastMessageTime=strftime(LastMessageTime,"%d/%m/%Y %H:%M:%S")
    | eval LastScanDateTime=strftime(LastScanDateTime,"%d/%m/%Y %H:%M:%S")
    | where (diff > 3) OR isnull(diff)
    | fillnull value="-"
    | sort - "active in the last 7 days?" - diff

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-20-2021 01:18 AM

Fistly - no point in sorting the data if you want to filter the entries anyway. It'd be more efficient to filter first, then sort - possibly less data to sort.

But to the point - is your LastScanDateTime properly set? Are you sure you don't need to strptime() it first, before doing a comparison to now()?

Oh, and round()-ing the difference will show you results which are more than 7.5 days behind, not 7. You don't need to do round() to just compare to a value and even if you wanted it to - for example - calculate a new field with number of days since last check, you'd rather use floor(), not round().

0 Karma
Reply
Solved! Jump to solution
Solution

numeroinconnu12
Path Finder
‎10-20-2021 01:37 AM

Thank you @PickleRick 

my correction, it's work

index=antivirus
    | eval lmt=strptime(LastMessageTime,"%m/%d/%Y %H:%M:%S")
    | eval lst=strptime(LastScanDateTime,"%m/%d/%Y %H:%M:%S")
    | stats values(SAVVersion) as SAVVersion, values(EngineVersion) as EngineVersion ,values(VirusDataVersion) as VirusDataVersion,  max(lmt) as LastMessageTime, max(lst) as LastScanDateTime by Name
    | sort LastScanDateTime
    | eval diff=round((Now() - LastScanDateTime)/60/60/24)
    | eval "active in the last 7 days ?"=if(round((Now() - LastMessageTime)/60/60/24)>7,"NO","YES")
    | eval LastMessageTime=strftime(LastMessageTime,"%d/%m/%Y %H:%M:%S")
    | eval LastScanDateTime=strftime(LastScanDateTime,"%d/%m/%Y %H:%M:%S")
    | where (diff > 3) OR isnull(diff)
    | fillnull value="-"
    | sort - "active in the last 7 days?" - diff
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...