I have a base search below but I need to use a time_window that is in table since various logs come in at diff times and I'm trying to create alerts for indexes not reporting but I dont want false positives for indexes that have a expected time lag. splunk_security_index is used to get a specific subset of indexes.
| tstats max(_time) as _time where index=* by index sourcetype | lookup splunk_security_indexes.csv index as index OUTPUT index time_window
| eval time_window="-7d@d" | where _time < relative_time(now(),'time_window')
How does that query fail to meet your needs?
Why is time_window fetched from a lookup file and then hard-coded?
Why is time_window fetched from a lookup file and then hard-coded?
I think you just cracked the code why the original code did not deliver.
@thrpa001 wrote:| tstats max(_time) as _time where index=* by index sourcetype | lookup splunk_security_indexes.csv index as index OUTPUT index time_window
| eval time_window="-7d@d" | where _time < relative_time(now(),'time_window')
I suspect the intention is
| tstats max(_time) as _time where index=* by index sourcetype
| lookup splunk_security_indexes.csv index as index OUTPUT index time_window
| where _time < relative_time(now(), time_window)
In other words, "time_window" should not have quotes surrounding it.