Splunk Enterprise Security

How to delete rows in lookup based on time or date

KumarGB
Explorer

Hi,

I am trying to build a query to monitor the IOCs in the lookup which has the time field in it.

Attached the screenshot.alt text

Based on the time field the rows should be automatically deleted. For example: the rows meets the condition "_time < 7 Oct 2019" should be deleted.

Do anyone have an idea on how to create saved search to delete the rows based on the condition.

1 Solution

jkat54
SplunkTrust
SplunkTrust

If you can write a search that produces all the other rows excluding what you want to delete, then you can just | outputlookup your_lookup

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

If you can write a search that produces all the other rows excluding what you want to delete, then you can just | outputlookup your_lookup

0 Karma

KumarGB
Explorer

Thanks!! It helped.

the below eval command was not giving a correct value

| eval 60dAgo=now()-(86400*60)

so I changed as below

| eval dif=(now()-TIME)/86400
| where dif <= 60

jkat54
SplunkTrust
SplunkTrust

Nice work adapting my example for your needs!

0 Karma

KumarGB
Explorer

I will be keep on adding IOCs on weekly basis.. I don't want the IOCs which are older than 60 days. So it should be deleted automatically from this lookup using the saved search.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Yes thats what I'm saying...

| inputlookup append=true your_lookup 
| eval TIME=strptime(_time,"%m/%d/%Y")
| eval 60dAgo=now()-(86400*60)
| where TIME<60dAgo
| outputlookup your_lookup

Run it for all time however often you like.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...