How do I find the time events have been sent in fo...

Fats120 · ‎04-07-2022

How do I find the time events have been sent in for the last 3 days. I want to see the time 53 different events came in

gcusello · ‎04-07-2022

Hi @Fats120,

I'm not sure to understand you request:

do you want the timestamp or the indexing time of each event?

what do you mean with "53 different events came"?

Ciao.

Giuseppe

Fats120 · ‎04-07-2022

So I need to monitor 53 different events.

I need to know what time every event came in for the last 3 days.

gcusello · ‎04-07-2022

Hi @Fats120,

you need to know 53 generic events or specific (e.g. matching a string or a field)?

anyway you have to use the head command, something like this:

your_search
| head 53

Ciao.

Giuseppe

Fats120 · ‎04-07-2022

No i need a table to show what time all events in the last 3 days came in

Sorry for not being clear enough

gcusello · ‎04-07-2022

Hi @Fats120,

did you tried something like this?

your_search
| head 53
| table _time

I'm not sure to understand you request because it's a too simple answer!

Ciao.

Giuseppe

Fats120 · ‎04-07-2022

Essentially the search needs to look into a CSV file and show a table of all the events that are coming in for the last 3 days, i tried this search you provided but no luck.

ITWhisperer · ‎04-08-2022

Does your csv contain values that you want to search in your index over the last 3 days and extract the matching events?

Assuming your csv has a column called key and your events also have a field called key, you can do something like this

index=your index earliest=-3d@d latest=@d
  [| inputlookup your.csv | fields key]

If the field names between your csv and your index don't match, you can use rename the rename the field from the csv so that it matches the field in the indexed events

Fats120 · ‎04-07-2022

a time stamp of all events

gcusello · ‎04-07-2022

Hi @Fats120,

at first how the rows of the CSV file are indexed in Splunk: in an index or in a lookup?

if in an index, you have to check if the "time" column of the csv is correctly associated to the timestamp or not.

if yes, you can run a search like this:

index=your_index
| head 53
| table _time

if it isn't associated to a timestamp but it's in a field called e.g. "time" and using the format "YYYY-mm-dd HH:MM:SS" you have to add an additional filter, something like this:

index=your_index 
| eval time=strptime(time,"%Y-%m-%d %H:%M:%S")
| where time>now()-3600*24*3
| head 53
| table _time

If instead the data are in a lookup and there a field called "time", you could run something like this:

| inputlookup your_lookup 
| eval time=strptime(time,"%Y-%m-%d %H:%M:%S")
| where time>now()-(3600*24*3)
| head 53
| table _time

Ciao.

Giuseppe

teunlaan · ‎04-08-2022

So you want to see WHEN the event arrived at the indexer? So tou need the see the indextime

index=your search | rename _indextime as indextime | eval indextime=strftime(indextime,"%Y-%m-%d %H:%M:%S") | table  _time indextime _raw

This shows:

_time = time splunk thinks it is

indexertime = time splunk saved thet data to disk

_raw = the event

How do I find the time events have been sent in for the last 3 days?

table

timechart

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases