Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using eval with table
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
asarolkar
Builder
11-30-2012
02:55 PM
I have a log by the name of auditlog, which logs accountNumber AND accountCreateDt
accountCreateDt = %Y-%m-%d format.
I am trying to identify Accounts that were created less than 24 hours ago by executing this search.
sourcetype="auditlog" | convert timeformat="%Y-%m-%d" mktime(accountCreateDt) as lastTime | convert mktime(_time) as c_time | eval Diff=c_time - lastTime | where Diff < 86400 | table accountNumber
For some reason, this query is not working.
IF i replace the last query with | table Diff it works like a charm (it gives me all time difference as long as account was created less than 24 hours ago).
Am i not using eval and table correctly ?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
11-30-2012
03:12 PM
It looks mostly okay, but I think you are doing it the hard way:
sourcetype=auditlog
| eval lastTime = strptime(accountCreateDt,"%Y-%m-%d")
| where lastTime > relative_time(now(), "-24h")
| table accountNumber accountCreateDt
One of the variables that you are using is _time - that is the the timestamp of the event; it will vary with each event. now() is the starting time of the search. I think that now() is what you should be using here, no matter how you choose to calculate things.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
11-30-2012
03:12 PM
It looks mostly okay, but I think you are doing it the hard way:
sourcetype=auditlog
| eval lastTime = strptime(accountCreateDt,"%Y-%m-%d")
| where lastTime > relative_time(now(), "-24h")
| table accountNumber accountCreateDt
One of the variables that you are using is _time - that is the the timestamp of the event; it will vary with each event. now() is the starting time of the search. I think that now() is what you should be using here, no matter how you choose to calculate things.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
asarolkar
Builder
11-30-2012
04:16 PM
I like the idea of using now() more than _time.
Also this is a much simpler solution
Get Updates on the Splunk Community!
Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar
Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
Splunk ITSI & Correlated Network Visibility
Now On Demand
Take Your Network Visibility to the Next Level
In today’s complex IT environments, ...
Community Content Calendar, August edition
In the dynamic world of cybersecurity, staying ahead means constantly solving new puzzles and optimizing your ...
