Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk search based on lookup time?

alexspunkshell
Contributor
‎09-01-2022 10:05 AM

Below query, I have used and it is saving in output lookup format.

 

Lookupname - S1_installedtime

Query - index=sentinelone |table installedAt agentComputerName agentDomain |search installedAt!="Null" |dedup agentComputerName

installedAt - This field is giving the installation time

Now I want a query that compares with the lookup table(S1_installedtime) and gives a result if any new agentComputerName in the last 1-week.

 

Objective - Need a list of agentComputerName having SentinelOne installed in the last 7 days.

Labels (5)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-04-2022 06:39 PM

In addition to @yuanliu comments, I would add some observations on your existing SPL

index=sentinelone
|table installedAt agentComputerName agentDomain
|search installedAt!="Null" 
|dedup agentComputerName
  • Always try to filter as much data as possible in your original search, i.e. in the above, the 
|search installedAt!="Null"

could be part of the original search statement 'index=...'

  • Using 'table' will push the data to the search head, so can reduce search performance if done early in the pipeline. It can also change the order of events.
    • As such, if you want to limit the data to certain field, use the 'fields' command, which will run on the indexer and perform better in a clustered environment.
  • Using dedup after you have used table will not always give you the most recent event for agentComputerName, as the _time order may have changed . If you want to use dedup, sometimes it is more predictable to use stats latest(*) as * by X, which will return the latest event only for the field X

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-04-2022 06:10 PM

The requirement above could use some explanation.  If you already have the field installedAt in index=sentinelone, why is lookup S1_installedtime necessary?

If I take the liberty to guess, you want to

  1. search some other data which contains field agentComputerName but not installedAt.  Is this correct?
  2. In this second dataset, you want to find out which agentComputerName had SentinelOne installed in a certain 7-day period prior to search.

Assuming the original installedAt is in epoc time, the task could be as simple as

index=someotherindex
| lookup S1_installedtime agentComputerName
| where now() < relative_time(installedAt, 7d)

If installedAt is a text timestamp, use strptime to convert, e.g.,

 

index=someotherindex
| lookup S1_installedtime agentComputerName
| where now() < relative_time(strptime(installedAt, "%Y-%m-%d %H:%M:%S%Z"), 7d)

There is also time-based lookup (Define a time-based lookup in Splunk Web) that can make use of string timestamp field directly.  If you use time-based lookup, you only have to select events where lookup returns a result

index=someotherindex
| lookup S1_installedtime agentComputerName
| isnotnull(installedAt)

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...