Splunk Search

I would like find host IP Addresses that have not been updated for 3 days.

superhm
Explorer

Hello.

I would like find host IP Addresses that have not been updated for 3 days.

To use UPDATETIME field that form is 2017.04.27.08 (Year.Month.Date.Hour)
But, Hour portion should be excepted.

I want to automatically search through the schedule(Warning) what three days ago UPDATETIME before the previous day.

please help me.

Thanks.

Tags (1)
0 Karma
1 Solution

andrey2007
Contributor

If I correctly understood you question you can try following request

[your search]...
|stats latest(UPDATETIME) as UPDATETIME by host_ip
| eval converted_UPDATETIME=strptime(substr(UPDATETIME,1,10),"%Y.%m.%d")
| eval start_of_previous_day=relative_time(now(),"-1d@d")
| eval time_difference=start_of_previous_day-converted_UPDATETIME
| search time_difference>=259200
| table host_ip

and save search as alert with condition when number of results is more than 0

you should specify timeranges earliest=-[number_of_days_ago] latest=-1d@d

View solution in original post

andrey2007
Contributor

If I correctly understood you question you can try following request

[your search]...
|stats latest(UPDATETIME) as UPDATETIME by host_ip
| eval converted_UPDATETIME=strptime(substr(UPDATETIME,1,10),"%Y.%m.%d")
| eval start_of_previous_day=relative_time(now(),"-1d@d")
| eval time_difference=start_of_previous_day-converted_UPDATETIME
| search time_difference>=259200
| table host_ip

and save search as alert with condition when number of results is more than 0

you should specify timeranges earliest=-[number_of_days_ago] latest=-1d@d

superhm
Explorer

Wow~! Thank you very much andrey2007.
your query string is perfect for my question.

I got a result what I want and appreciate for your help.

Thanks again : )

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...