Hi @cmerriman! Yes, I placed "@y" that way. It seems to work ok until I add the second search criteria for actualenddate. After I updated the second filter to -1mon@mon which @somesoni2 suggested, I'm getting from the beginning of the last month, which is what I was looking for! This is the search now... index=... | eval openDate= strptime(opened_at, "%Y-%m-%d %H:%M:%S") | where openDate>=relative_time(now(),"@y") | eval actualenddate = strptime(u_actual_impl_end_date, "%Y-%m-%d %H:%M:%S") | where actualenddate >=relative_time(now(),"-1mon@mon") Thank you! ... View more

Thanks @woodcock! We are working on the authentication portion in order to copy the file from the SH to to NFS share. Do you have an example of what was scripted in the cron job? ... View more

This works! Thanks so much @somesoni2! ... View more

Hi @aljohnson! I really appreciate the breakdown for this search...helped to understand what's happening. THANK YOU! So, here is the search I ran.... index=forescout sourcetype="fs_av_compliance" | eval non_compliant=if(status="non-compliant",1,0) | bin _time span=1d | stats max(non_compliant) as non_compliant by _time src_nt_host src_ip status description | eval time_chunk = case( _time > relative_time(now(), "-90d"), "90days+", _time > relative_time(now(), "-60d"), "60days+", _time > relative_time(now(), "-30d"), "30days+") | eval non_compliant_time = if(non_compliant==1, _time, null()) | stats sum(non_compliant) as total_violations min(non_compliant_time) as earliest_violation_time by src_nt_host, time_chunk | eval earliest_violation_time = strftime(earliest_violation_time, "%F %T") | search total_violations>0 Out of ~2.5m events, 4.5k are returned as having total_violations>0. Here are my questions as I went through adding each piped criteria to the search.... |eval time_chunk.... We are looking for ANY 30, 60, or 90 day span, not necessarily from "relative_time(now())", given that the latest status of the host is "non-compliant". |eval non_compliant_time.... Is the result for non_compliant_time in seconds? How do I turn that into days so I can validate whether or not it's meeting the time_chunk criteria? The time_chunk value for all returning records is set to 90days+, which doesn't seem right for all hosts where total_violations>0. To answer the question of "first time being seen by the system", I meant, the first time the host was added to Forescout. Thanks again for your help @aljohnson! ... View more

@aaraneta - Just from Search (no app or addon). ... View more

@aaraneta, I just sent a followup comment to him.Thanks! ... View more

@jkat54 I'm getting numbers for each of the following searches. I just want to put them together in one search and output each count.... Note that asterisks are in the front and back of each string within the quotes and no backslashes. index=index message_subject="[CyFin" | stats count(message_subject) index=index message_subject="[CyberIntel Confidential]" | stats count(message_subject) index=index message_subject="[TNT-" | stats count(message_subject) Thanks for your continued help! ... View more

Thanks for your response @jkat54! I tried running specifically the following... ... | eval group1=if(match(message_subject,"CyFin"),1,0) | stats count by group* I'm getting the error below... Error in 'eval' command: Regex: nothing to repeat The search job has failed due to an error. You may be able to view the job in the Job Inspector. Please advise..... ... View more

Thanks for all of your help @sundareshr! ... View more

Thank you so much for your help @sundareshr! I'm getting the src_nt_host names for the max and min contributors. How do I obtain the duration time for these two values? The minimum duration time The maximum duration time Avg duration time ... View more

Right now the volume is not too bad. We only have data going back to this June. But, we'll plan to optimize the query. Thanks for the info links! Now, regarding the current search query, for the given earliest=3mon@mon, would the output be based on the date the query is run? I ran it today, 10/27/2016, so for the previous 3mon, it will do to compliance calculation for 9/27, 8/27, etc....? ... View more

This is great @sundareshr! Thank you! One last thing...how would I derive the lowest and highest duration that is contributing to this avg? ... View more

I'll try that. Ok Thanks! ... View more

Yes, I noticed that and made that change. So, this duration is in seconds? How would I change it to hours? ... View more

ok, is that avg_duration in seconds, minutes, hours, days? The output is coming up as a negative number.... -2819509.457109 ... View more

Yes! That works. Thank you @sundareshr! So, how do we add this to capture the percCompliant from the 1st of each month and chart it for month over month comparison? ... View more

Hi @sundareshr. Thanks again for your help in all this. I modified the search to apply to our data: index=forescout sourcetype="fs_encryption_compliance" | stats earliest(eval(if(status="non-compliant", _time, null()))) as noncompliant earliest(eval(if(status="compliant", _time, null()))) as compliant by src_nt_host | where isnotnull(noncompliant) | eval duration="non-compliant" | stats avg(duration) as avg_duration by src_nt_host However, the output is listing src_nt_host (device) and NULL avg_duration numbers. We're actually looking for just one avg number for all of these devices. So, can we simply add the duration numbers from each src_nt_host and then derive the avg from that? ... View more