Solved: How to create a search that shows if the last seen... - Splunk Community

Splunk Enterprise Security

I've tried a few different things but they don't appear to be working. I have a log that gives out the last day and time a particular software was seen on a machine (host properties last seen).

I want to create a search that shows if the last seen date was greater than 7 days.

Any thoughts on the best way to do this?

Thanks.

1 Solution

Solution

Hi crisp023-

Try checking one of these:

This one has the simplest solution:
https://answers.splunk.com/answers/22564/finding-last-event.html

A bit more involved:
https://answers.splunk.com/answers/762438/how-to-create-a-list-of-all-indexes-with-source-ho.html
https://answers.splunk.com/answers/332987/how-to-search-the-list-of-devices-that-have-sent-l.html

Hope this helps,
Mike

View solution in original post

Solution

Hi crisp023-

Try checking one of these:

This one has the simplest solution:
https://answers.splunk.com/answers/22564/finding-last-event.html

A bit more involved:
https://answers.splunk.com/answers/762438/how-to-create-a-list-of-all-indexes-with-source-ho.html
https://answers.splunk.com/answers/332987/how-to-search-the-list-of-devices-that-have-sent-l.html

Hope this helps,
Mike

Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability In the realm of IT operations, the ...