Skip to main content
Splunk Lantern

Hosts logging data in a certain timeframe

An anomaly occurred on your network in the last 24 hours. Your boss wants a report of all hosts that communicated over the network during that time. The report needs to include the time of the first and last transaction each host had. 

Required data

The data needed in this procedure depends on the types of events you are investigating. The data descriptors can help you decide what data is appropriate for your goal.

Procedure

  1. Run the following search. You can optimize it by specifying an index and adjusting the time range.
|metadata type=hosts
|eval "Last Seen"=now()-recentTime
|search "Last Seen" < 86400
  1. The results show all hosts that did not send data to the network in the last 24 hours. However, the information in the table is difficult to read. Add the following to the search: 
|rename totalCount AS Count firstTime AS "First Event" lastTime AS "Last Event" recentTime AS "Last Update"
|fieldformat "First Event"=strftime('First Event', "%c")
|fieldformat "Last Event"=strftime('Last Event', "%c")
|fieldformat "Last Update"=strftime('Last Update', "%c")
|eval "Minutes Behind"= round(('Last Seen'/60), 2)
|eval "Hours Behind"= round(('Last Seen'/3660), 2)
|table host, "First Event" "Last Event" "Last Update" "Hours Behind" "Minutes Behind"
|sort - "Minutes Behind" 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

|metadata type=hosts

Return host metadata generated at the time data was written to an index.

The metadata command can also be used to see the sources and source types on your network.

You can only use the metadata command if you have the get_metadata capability added to your role. 

|eval "Last Seen"=now()-recentTime

Calculate a value called "Last Seen" that is now minus the recentTime.

|search "Last Seen" < 86400

Search for all values of "Last Seen" that are less than 24 hours.

The recentTime field is provided in seconds.

|rename totalCount AS Count firstTime AS "First Event" lastTime AS "Last Event" recentTime AS "Last Update"

Rename the fields as shown for better readability.

|fieldformat "First Event"=strftime('First Event', "%c")

Convert the way the time of the first event is displayed into the format of the locale, as defined by the server's operating system.

Fieldformat does not change the underlying value of the field.

|eval "Minutes Behind"= round(('Last Seen'/60), 2)

Convert "Minutes Behind" from seconds into minutes and round to two decimal places.

|eval "Hours Behind"= round(('Last Seen'/3660), 2)

Convert "Hours Behind" from seconds into hours and round to two decimal places.

|table host, "First Event" "Last Event" "Last Update" "Hours Behind" "Minutes Behind"

Display the results in a table with columns in the order shown.

|sort - "Minutes Behind" 

Sort the table by "Minutes Behind" with the oldest value first.

Next steps

The results include everything your boss asked for, as well as the hours and minutes past the time of search that each host was last active. You can print or export the results table, or click Save As > Report to save it for viewing later. 

Finally, you might be interested in other processes associated with the Creating a timebound picture of network activity use case.