Re: modify date of search

cipi23 · ‎07-11-2019

how to modify time after a search, for example i search something on thirst day of week (08 date) and after i would like to search on last week first day (01 date) all this search is in one search. In classic programming i will be use for loop

cipi23 · ‎07-12-2019

i have to display count of hosnames, that have last_seen >30 days, in first day of week:

for 08.07.19 count number of hostnames that have last_seen >30 days
for 01.07.19 count number of hostnames that have last_seen >30 days
for 24.06.19 count number of hostnames that have last_seen >30 days
for 17.06.19 count number of hostnames that have last_seen >30 days

the output will be:
week1 count
week2 count
week3 count
week4 count

all this i need to do in one search

woodcock · ‎07-11-2019

First of all, be aware that you can set your personal timezone in <Your Name> -> Preferences -> Time zone and then you can avoid all of your strftime stuff; if you do that, then this should work:

index=en_amp_api earliest=@w1 latest=@w2
| timechart span=1w count

woodcock · ‎07-11-2019

First of all, be aware that you can set your personal timezone in <Your Name> -> Preferences -> Time zone and then you can avoid all of your strftime stuff; try this:

index=en_amp_api earliest=@w1 latest=@w2
| eval week=case(
   last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"), "week1",
   last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"), "week2",
   last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"), "week3",
   last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"), "week4",
   true(), "other")
| stats count BY week

tiagofbmm · ‎07-11-2019

either you're willing to run 4 searches, one for each week, which can be done like this:

| makeresults | eval earliest=<week2_begins>, latest=<week1_ends>, weeknumber=1
| append [ | makeresults | eval earliest=<week2_begins>, latest=<week2_ends>, weeknumber=2 ]
| append [ | makeresults | eval earliest=<week3_begins>, latest=<week3_ends>,weeknumber=3 ]
| append [ | makeresults | eval earliest=<week4_begins>, latest=<week4_ends>, weeknumber=4 ]
| map search="search  index=en_amp_api  earliest=$earliest$ latest=$latest$ | eval description=$weeknumber$"

Or you specify earliest and latest that includes all the 4 weeks

index=<yourindex> earliest=<week1_begins> latest=<week4_ends>  | stats sum(eval(if(last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"),1,0))) as "week1", sum(eval(if(strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ")<last_seen AND last_seen<strftime(relative_time(_time,"-3w"),"%Y-%m-%dT%H:%M:%SZ"),1,0))) as "week2"

tiagofbmm · ‎07-11-2019

You can specify search (earliest=x latest=y) OR (earliest=w latest=z)

cipi23 · ‎07-11-2019

index=en_amp_api
 earliest=@w1 latest=@w2
| eval description1=case(last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"),"week1")
| eval description2=case(last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"),"week2")
| eval description3=case(last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"),"week3")
| eval description4=case(last_seen<strftime(relative_time(_time,"-4w"),"%Y-%m-%dT%H:%M:%SZ"),"week4")
| stats count(description1) as week1,count(description2) as week2,count(description3) as week3,count(description4) as week4

this is my code and i would like to modify earliest and latest for each case

modify date of search

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

modify date of search

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?