Splunk Search

Value expiration in query

Harjit456
New Member

Hi all,

I'm wondering if there is a way to make a query with values that expire. For example my query is:

index=checkpoint sourcetype=opsec* src="192.168.1.1" OR "192.168.1.2"
| fillnull value=NULL
| stats count by src,dest,s_port,policy_name,signature
| sort count DESC
| eventstats sum(count) as totalCount

I would like the src conditions in the query to expire after 30 days automatically. Is it possible?

Tags (1)
0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

This is a very unusual question, but you could do something like this:

index=checkpoint sourcetype=opsec*
        [| makeresults 
        | eval end_date = strptime("15 Feb 2019", "%d %b %Y")
        | eval conditions = if (_time > end_date, null(), "src=192.168.1.1 OR 192.168.1.2")
        | return $conditions]
| fillnull value=NULL
| stats count by src,dest,s_port,policy_name,signature 
| sort count DESC 
| eventstats sum(count) as totalCount

Just change the date to the date you want.

Hope this helps 🙂

View solution in original post

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

This is a very unusual question, but you could do something like this:

index=checkpoint sourcetype=opsec*
        [| makeresults 
        | eval end_date = strptime("15 Feb 2019", "%d %b %Y")
        | eval conditions = if (_time > end_date, null(), "src=192.168.1.1 OR 192.168.1.2")
        | return $conditions]
| fillnull value=NULL
| stats count by src,dest,s_port,policy_name,signature 
| sort count DESC 
| eventstats sum(count) as totalCount

Just change the date to the date you want.

Hope this helps 🙂

0 Karma

Harjit456
New Member

Hi! thank you very much, however this isn't working quite exactly the way I want it to. If I enter for example: Feb 10, I would like it to show me 0 results. (since it comes before Feb 11) instead it shows me everything ELSE the SRC ip in the eval conditions line.

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Just change this line:

| eval conditions = if (_time > end_date, null(), "src=192.168.1.1 OR 192.168.1.2")

to instead be

| eval conditions = if (_time > end_date, "src=_NO_MATCH_", "src=192.168.1.1 OR 192.168.1.2")

0 Karma

Harjit456
New Member

You're the best! Thank you very much!!!

0 Karma
Get Updates on the Splunk Community!

Testing out the OpenTelemetry Collector With raw Data

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...