- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- How to edit search string for date?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit search string for date?
Hello fellow Splunkers. I need a little help with an issue I am having with one of my dashboards. Im sure its a simple fix but am having a tough time figuring out the correct way to do it. A little background, we created a dashboard to check the status of connected forwarders for our auditing purposes. With the new infrastructure we have a VDI setup that spins up a new hostname when a new user logs in. This results in our dashboard having a bunch of different forwarders showing as offline. I want to add in to the search to get everything that hasnt reported into the dashboard in the past 5 days to not be pulled into the chart. the search string is below, the time I am would like to filter off of is the last_phone_home. Thanks for any help you can provide!
| inputlookup hosts.csv
| table *
| join max=0 [| rest splunk_server=local /services/deployment/server/clients
| fields - applications.* serverClasses.* eai* splunk_server author id title
| collect index=summary addtime=true marker="dataset=deployment_server_clients"
| eval diff=now()-lastPhoneHomeTime
| eval status=if(diff>120, "Connection Failed", "Connection Successful")
| rename hostname as host]
| rename utsname as platform
| eval last_phone_home=strftime(lastPhoneHomeTime, "%F - %T")
| eval hostname=lower(hostname)
| eval last_hourly_check=strftime(last_hourly_check, "%F - %T")
| table host platform ip splunkVersion last_phone_home status
| sort status
| dedup host - Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can create a lookup of uf connections to your Splunk instance.
Here's an example of something that I've used:
index=_internal sourcetype=splunkd group=tcpin_connections version=* os=* arch=* build=* hostname=* source=*metrics.log earliest=-1h@h
| stats latest(_time) as _time latest(version) as version,latest(arch) as arch,latest(os) as os,latest(build) as build latest(fwdType) AS type latest(sourceIp) AS src_ip by hostname
| eval last_seen_epoch=_time | eval last_seen_date=strftime(_time,"%Y-%m-%d")
| eval nt_host=UPPER(hostname)
| append [| inputlookup splunk_forwarder_client_version_lookup.csv]
| dedup nt_host
| eval last_seen_age = ROUND((now()-last_seen_epoch)/86400, 0)
| where last_seen_age < 31
| table nt_host arch os build version type src_ip last_seen_age last_seen_date last_seen_epoch
| outputlookup splunk_forwarder_client_version_lookup.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
you should check relative_date function to get correct day. And when you are comparing those date, it's better to convert those first to epoch (strptime). Later convert back to human readable format if needed.
BUT I think that there is issue when you are using rest to get these UFs. Rest shows only those clients which has connected e.g. after you have reload deployment server configuration etc. I expecting that you are try to fix this issue with your inputlookup and summary index and probably this is fixing that? Another way is look those nodes from _internal index. Just look e.g. component=DC* or Deploy* and you will get a list of nodes which has connected to earlier to your DS.
r. Ismo
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
