Splunk Search

Splunk search based on lookup time?


Below query, I have used and it is saving in output lookup format.


Lookupname - S1_installedtime

Query - index=sentinelone |table installedAt agentComputerName agentDomain |search installedAt!="Null" |dedup agentComputerName

installedAt - This field is giving the installation time

Now I want a query that compares with the lookup table(S1_installedtime) and gives a result if any new agentComputerName in the last 1-week.


Objective - Need a list of agentComputerName having SentinelOne installed in the last 7 days.

Labels (5)
0 Karma


In addition to @yuanliu comments, I would add some observations on your existing SPL

|table installedAt agentComputerName agentDomain
|search installedAt!="Null" 
|dedup agentComputerName
  • Always try to filter as much data as possible in your original search, i.e. in the above, the 
|search installedAt!="Null" 

could be part of the original search statement 'index=...'

  • Using 'table' will push the data to the search head, so can reduce search performance if done early in the pipeline. It can also change the order of events.
    • As such, if you want to limit the data to certain field, use the 'fields' command, which will run on the indexer and perform better in a clustered environment.
  • Using dedup after you have used table will not always give you the most recent event for agentComputerName, as the _time order may have changed . If you want to use dedup, sometimes it is more predictable to use stats latest(*) as * by X, which will return the latest event only for the field X


0 Karma


The requirement above could use some explanation.  If you already have the field installedAt in index=sentinelone, why is lookup S1_installedtime necessary?

If I take the liberty to guess, you want to

  1. search some other data which contains field agentComputerName but not installedAt.  Is this correct?
  2. In this second dataset, you want to find out which agentComputerName had SentinelOne installed in a certain 7-day period prior to search.

Assuming the original installedAt is in epoc time, the task could be as simple as

| lookup S1_installedtime agentComputerName
| where now() < relative_time(installedAt, 7d)

If installedAt is a text timestamp, use strptime to convert, e.g.,


| lookup S1_installedtime agentComputerName
| where now() < relative_time(strptime(installedAt, "%Y-%m-%d %H:%M:%S%Z"), 7d)

There is also time-based lookup (Define a time-based lookup in Splunk Web) that can make use of string timestamp field directly.  If you use time-based lookup, you only have to select events where lookup returns a result

| lookup S1_installedtime agentComputerName
| isnotnull(installedAt)



0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...