Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Value expiration in query

Harjit456
New Member
‎02-11-2019 08:27 AM

Hi all,

I'm wondering if there is a way to make a query with values that expire. For example my query is:

index=checkpoint sourcetype=opsec* src="192.168.1.1" OR "192.168.1.2"
| fillnull value=NULL
| stats count by src,dest,s_port,policy_name,signature
| sort count DESC
| eventstats sum(count) as totalCount

I would like the src conditions in the query to expire after 30 days automatically. Is it possible?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-11-2019 11:53 AM

This is a very unusual question, but you could do something like this:

index=checkpoint sourcetype=opsec*
        [| makeresults 
        | eval end_date = strptime("15 Feb 2019", "%d %b %Y")
        | eval conditions = if (_time > end_date, null(), "src=192.168.1.1 OR 192.168.1.2")
        | return $conditions]
| fillnull value=NULL
| stats count by src,dest,s_port,policy_name,signature 
| sort count DESC 
| eventstats sum(count) as totalCount

Just change the date to the date you want.

Hope this helps 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-11-2019 11:53 AM

This is a very unusual question, but you could do something like this:

index=checkpoint sourcetype=opsec*
        [| makeresults 
        | eval end_date = strptime("15 Feb 2019", "%d %b %Y")
        | eval conditions = if (_time > end_date, null(), "src=192.168.1.1 OR 192.168.1.2")
        | return $conditions]
| fillnull value=NULL
| stats count by src,dest,s_port,policy_name,signature 
| sort count DESC 
| eventstats sum(count) as totalCount

Just change the date to the date you want.

Hope this helps 🙂

0 Karma
Reply
Solved! Jump to solution

Harjit456
New Member
‎02-11-2019 12:25 PM

Hi! thank you very much, however this isn't working quite exactly the way I want it to. If I enter for example: Feb 10, I would like it to show me 0 results. (since it comes before Feb 11) instead it shows me everything ELSE the SRC ip in the eval conditions line.

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-11-2019 12:27 PM

Just change this line:

| eval conditions = if (_time > end_date, null(), "src=192.168.1.1 OR 192.168.1.2")

to instead be

| eval conditions = if (_time > end_date, "src=_NO_MATCH_", "src=192.168.1.1 OR 192.168.1.2")

0 Karma
Reply
Solved! Jump to solution

Harjit456
New Member
‎02-11-2019 12:29 PM

You're the best! Thank you very much!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...