Search results to get the fresh values not the old...

bagarwal · ‎03-26-2018

Hi @everyone, @skoelpin,

Can you please help me in this.

I have firefox program installed in my system . Now , I am getting in my splunk event when I ran the query for what are the software I have installed in my system and this is expected.
Now, If I remove/uninstall firefox from my system and then search the splunk query , it still appears in the splunk event. There is a field in the event called LastUsedTime and the reason we are still seeing the events as the logs retention period is for 90 days.

Now, I want a fresh result of the search where application name ( firefox) shall not come if I uninstall the firefox from the system.
Can help me to add a filter in the search listing for events having LastUsedTime newer than a period of choice( 1 week, 1 month, etc) or any other workaround for this ?

Thanks again for your help.

Binay Agarwal

skoelpin · ‎03-27-2018

Hey @bagarwai

You can create some conditional logic to exclude it.. It will look something like this (This is untested)

| eval today=relative_time(now(),"0d@d")
| eval discard=if(LastUsedTime<'today',0,1)
| search discard=1

This will first create a field called today which will determine the epoch time for today. It will then use an if statement to check if the last used time is less than today. If it is less than today, it will assign a 0 to discard else it will assign a 1. You then can exclude the field discard with values equaling 0.

skoelpin · ‎03-28-2018

@bagarwai did this work for you?

bagarwal · ‎04-01-2018

Hi @skoelpin,

I tried , but didn't work the above one. However, your previous one helped to get the results
| where now()-strptime(LastUsedTime,"%Y-%m-%d %H:%M:%S")>86400*7

Thanks a lot for your help.

Binay

somesoni2 · ‎03-27-2018

How frequently you're getting data (in Splunk) about your system's softwares? You can either just choose the time range according to it so that only the latest data about the software is selected, OR you can add filter like this: (assuming format of timestamp value in field LastUsedTime is YYYY-mm-dd HH:MM:SS, update the time format in the strptime function if it's different. The RHS of where clause give data duration for 1 week/7 days, change the multiplication factor per your need)

your current search which includes the field LastUsedTime
| where now()-strptime(LastUsedTime,"%Y-%m-%d %H:%M:%S")>86400*7

bagarwal · ‎03-27-2018

Hi @somesoni2,

Thank You for your help.

The data gets reflected once in every 24 hours. We are getting the latest data , however it has been designed such that we are getting old data also even if we remove the software.

e.g. if I had removed mozilla from my system yesterday, and I search the query for today; the result should not come. However, it is coming. Lastusedtime is showing as yesterday date only.

Need to search in such that it shall check LastUsedTime newer than a period of choice

I have used the one you suggested , however not got the desired result . Time format is same as mentioned.
| where now()-strptime(LastUsedTime,"%Y-%m-%d %H:%M:%S")>86400*7

Thanks for your help.

Binay Agarwal

Search results to get the fresh values not the old values

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life