- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Creating Conditional based on date (2 days)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to create a conditional that is based on date, so for example I have a table that will show you the last time a device checked in 4-21-2017, I want to make a conditional that will only activate if a device has not checked in for 2 days (So that device would trigger my conditional)
|inputlookup blah.csv |rename mac as Mac_Address |rename "Las HW Scan" as Last_HW_Scan |table Mac_Address Last_HW_Scan
Example data:
00-13-5F-ED-A3-21 4/24/2016 1:37
00-13-5E-ED-A2-24 4/2/2017 9:59
00-13-5F-ED-A1-27 4/3/2017 9:58
So the conditional would fire 2 of the 3 here. Where time(now+2d) < Last_HW_Scan something along those lines.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You basically have it there, just switch around the equation so that the field being compared is on the left and the calculated value on the right. You can use either the search verb or the where verb in this case.
| where Last_HW_Scan < relative_time(now(),"-2d")
This assumes that Last_HW_Scan is recognizable to splunk as a date-time field in epoch format. Otherwise you will need to convert it.
| eval Last_HW_Scan_Epoch = strptime(Last_HW_Scan,"%m/%d/%Y %H:%M")
| where Last_HW_Scan_Epoch < relative_time(now(),"-2d")
Either of the above lets through only the records that are older than 2 days old to the second.
If you want only those which are more than two calendar days old, then use relative_time(now(),"-2d@d"), which will give you the epoch-format moment that two days ago began, as of GMT/UTC. If you want midnight local, for example in CST, then you would need to adjust again for the hours from UTC... something like relative_time(relative_time(now(),"-2d@d"),"-5h").
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You basically have it there, just switch around the equation so that the field being compared is on the left and the calculated value on the right. You can use either the search verb or the where verb in this case.
| where Last_HW_Scan < relative_time(now(),"-2d")
This assumes that Last_HW_Scan is recognizable to splunk as a date-time field in epoch format. Otherwise you will need to convert it.
| eval Last_HW_Scan_Epoch = strptime(Last_HW_Scan,"%m/%d/%Y %H:%M")
| where Last_HW_Scan_Epoch < relative_time(now(),"-2d")
Either of the above lets through only the records that are older than 2 days old to the second.
If you want only those which are more than two calendar days old, then use relative_time(now(),"-2d@d"), which will give you the epoch-format moment that two days ago began, as of GMT/UTC. If you want midnight local, for example in CST, then you would need to adjust again for the hours from UTC... something like relative_time(relative_time(now(),"-2d@d"),"-5h").
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
