Hello.
I would like find host IP Addresses that have not been updated for 3 days.
To use UPDATETIME field that form is 2017.04.27.08 (Year.Month.Date.Hour)
But, Hour portion should be excepted.
I want to automatically search through the schedule(Warning) what three days ago UPDATETIME before the previous day.
please help me.
Thanks.
If I correctly understood you question you can try following request
[your search]...
|stats latest(UPDATETIME) as UPDATETIME by host_ip
| eval converted_UPDATETIME=strptime(substr(UPDATETIME,1,10),"%Y.%m.%d")
| eval start_of_previous_day=relative_time(now(),"-1d@d")
| eval time_difference=start_of_previous_day-converted_UPDATETIME
| search time_difference>=259200
| table host_ip
and save search as alert with condition when number of results is more than 0
you should specify timeranges earliest=-[number_of_days_ago] latest=-1d@d
If I correctly understood you question you can try following request
[your search]...
|stats latest(UPDATETIME) as UPDATETIME by host_ip
| eval converted_UPDATETIME=strptime(substr(UPDATETIME,1,10),"%Y.%m.%d")
| eval start_of_previous_day=relative_time(now(),"-1d@d")
| eval time_difference=start_of_previous_day-converted_UPDATETIME
| search time_difference>=259200
| table host_ip
and save search as alert with condition when number of results is more than 0
you should specify timeranges earliest=-[number_of_days_ago] latest=-1d@d
Wow~! Thank you very much andrey2007.
your query string is perfect for my question.
I got a result what I want and appreciate for your help.
Thanks again : )