I have a bunch of logs from a program that regularly updates local files with changes in network files, and I would like to find out which computers haven't received an update in the past 7 days.
The fields I am using to differentiate the computers is source and sourcetype.
However, the only way to tell if no files have been updated is if there are no events logged in splunk.
Is there an feasible way to denote this? I need a list of all of the sources/sourcetypes which haven't had any events in the past 7 days.
Using metadata is a great tool for this question. This search will return any sourcetype that hasn't reported a "lastTime" before (now - 7 days of seconds ago).
|metadata type=sourcetypes|eval sevenDaysAgo = now() - (7*24*3600)|where lastTime < sevenDaysAgo
Same thing for sources
|metadata type=sources|eval sevenDaysAgo = now() - (7*24*3600)|where lastTime < sevenDaysAgo
Using metadata is a great tool for this question. This search will return any sourcetype that hasn't reported a "lastTime" before (now - 7 days of seconds ago).
|metadata type=sourcetypes|eval sevenDaysAgo = now() - (7*24*3600)|where lastTime < sevenDaysAgo
Same thing for sources
|metadata type=sources|eval sevenDaysAgo = now() - (7*24*3600)|where lastTime < sevenDaysAgo
Thanks! That's giving me exactly the data I need.
ahh beat me to it! Up-voted