Splunk Search

Splunk search based on lookup time?

alexspunkshell
Contributor

Below query, I have used and it is saving in output lookup format.

 

Lookupname - S1_installedtime

Query - index=sentinelone |table installedAt agentComputerName agentDomain |search installedAt!="Null" |dedup agentComputerName

installedAt - This field is giving the installation time

Now I want a query that compares with the lookup table(S1_installedtime) and gives a result if any new agentComputerName in the last 1-week.

 

Objective - Need a list of agentComputerName having SentinelOne installed in the last 7 days.

Labels (5)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

In addition to @yuanliu comments, I would add some observations on your existing SPL

index=sentinelone
|table installedAt agentComputerName agentDomain
|search installedAt!="Null" 
|dedup agentComputerName
  • Always try to filter as much data as possible in your original search, i.e. in the above, the 
|search installedAt!="Null" 

could be part of the original search statement 'index=...'

  • Using 'table' will push the data to the search head, so can reduce search performance if done early in the pipeline. It can also change the order of events.
    • As such, if you want to limit the data to certain field, use the 'fields' command, which will run on the indexer and perform better in a clustered environment.
  • Using dedup after you have used table will not always give you the most recent event for agentComputerName, as the _time order may have changed . If you want to use dedup, sometimes it is more predictable to use stats latest(*) as * by X, which will return the latest event only for the field X

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

The requirement above could use some explanation.  If you already have the field installedAt in index=sentinelone, why is lookup S1_installedtime necessary?

If I take the liberty to guess, you want to

  1. search some other data which contains field agentComputerName but not installedAt.  Is this correct?
  2. In this second dataset, you want to find out which agentComputerName had SentinelOne installed in a certain 7-day period prior to search.

Assuming the original installedAt is in epoc time, the task could be as simple as

index=someotherindex
| lookup S1_installedtime agentComputerName
| where now() < relative_time(installedAt, 7d)

If installedAt is a text timestamp, use strptime to convert, e.g.,

 

index=someotherindex
| lookup S1_installedtime agentComputerName
| where now() < relative_time(strptime(installedAt, "%Y-%m-%d %H:%M:%S%Z"), 7d)

There is also time-based lookup (Define a time-based lookup in Splunk Web) that can make use of string timestamp field directly.  If you use time-based lookup, you only have to select events where lookup returns a result

index=someotherindex
| lookup S1_installedtime agentComputerName
| isnotnull(installedAt)

 

 

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...