Splunk Search

How to add a filter in the search to have a fieldvalue newer than a period of choice ?

bagarwal
Path Finder

I am working in a search to filter events to get the application named installed in the system. However, if I remove the application or uninstall it still apears in the event.
There is a field called LastUsedTime and the reason is we are still seeing the events as the logs retention period is for 90 days.

Now, I want a fresh result of the search where application name shall not come if I uninstall the same application from the system.
Can anyone help me to add a filter in the search listing for events having LastUsedTime newer than a period of choice( 1 week, 1 month, etc) or any other workaround for this ?

It would be of great help.

Thanks in advance.

Binay Agarwal

Tags (3)
0 Karma

bagarwal
Path Finder

Hi @tiagofbmm,

Thanks for your information.

Just to clarify , I mean, supposed I have firefox program installed in my system . Now , I am getting in my splunk event when I ran the query and this is expected.
Now, If I remove/uninstall firefox from my system and then search the query , it still appears in the splunk event. The reason I told because of fieldname LastUsedTime and retention for 90 days.

Will your above answer help in this and what it refers to | rest /services/apps/local . Sorry, this is a new concept for me . So thought of asking.

Thanks again for your help.

Binay Agarwal

0 Karma

tiagofbmm
Influencer

Oh sorry I thought you are about to uninstall Splunk Apps. Let me think about it again then

0 Karma

tiagofbmm
Influencer

Hey

You can use the | rest /services/apps/local | dedup label | table label to get you the current situation of installed apps in Splunk.

With that, you can filter whatever you want just from the apps that are installed now.

Let me know if it helps.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...