Solved: Remove results from table if they do not meet a co...

bravecarcass86 · ‎04-09-2019

I am trying to create a search that will display all universal forwarders that have not checked in for over 24 hours. Currently, what I have will display all of them and only show the time since check in if it is only over 24 hours. How do I remove the results that do not meet this?

Here's what I have so far:

Thank you for your help!

solarboyz1 · ‎04-09-2019

Just add | search last_seen_hours > 24 to filter:

index=_internal sourcetype=splunkd group=tcpin_connections 
| stats latest(version) as version by hostname
| join hostname [ | metadata type=hosts index=* 
| eval last_seen_hours=case(((now()-lastTime)/60/60) > 1, (now()-lastTime)/60/60)
| search last_seen_hours > 24
| table host, last_seen_hours
| rex field=host "(?[^.]+)" | fields - host ] 
| sort last_seen_hours

View solution in original post

solarboyz1 · ‎04-09-2019

Just add | search last_seen_hours > 24 to filter:

index=_internal sourcetype=splunkd group=tcpin_connections 
| stats latest(version) as version by hostname
| join hostname [ | metadata type=hosts index=* 
| eval last_seen_hours=case(((now()-lastTime)/60/60) > 1, (now()-lastTime)/60/60)
| search last_seen_hours > 24
| table host, last_seen_hours
| rex field=host "(?[^.]+)" | fields - host ] 
| sort last_seen_hours

bravecarcass86 · ‎04-10-2019

Thanks, that works. I ended up just tacking on "| where last_seen_hours > 24" to the end, as that's the solution I found first. I appreciate the help though!

Remove results from table if they do not meet a condition.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms