last events in a timeframe

wsw70 · ‎02-07-2012

Hello,

I am working with vulnerability scan results which follow this template:

timestamp hostname vulnerability_name

I am doing all sorts of reports for the current month results. This works fine but I currently only have one set of results per month (one scan).
I would like to increase the amount of scans per month and I will end up with the following timeline

-B--[xxxxxxx]-------[xx]---E---

where:

B and E are respectively the beginning and the end of the month
[] is a 24 hours period
x is a security event

This means that during the month some remediation will happen, so the number of events in the last bunch can be smaller. This last bunch represents the "current status" which I am most interested in (I will be interested in the history of scans someday later :))

I therefore need to discover the latest event in my scanning history and limit my manipulations to events within a 24h range before that event (including the event).
What would be the most natural way to do this?

Thank you!

woodcock · ‎06-29-2015

Like this:

... | stats latest(_time) AS newest BY date_month | eval earliest=newest + 24*60*60 | map search="search earliest=$earliest$ latest=$newest$ other search stuff here"

last events in a timeframe

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk