Hosts logging data in a certain timeframe
An anomaly occurred on your network in the last 24 hours. Your boss wants a report of all hosts that communicated over the network during that time. The report needs to include the time of the first and last transaction each host had.
Required data
Procedure
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
    |metadata type=hosts |eval "Last Seen"=now()-recentTime |search "Last Seen" < 86400 
- The results show all hosts that did not send data to the network in the last 24 hours. However, the information in the table is difficult to read. Add the following to the search: 
    |rename totalCount AS Count firstTime AS "First Event" lastTime AS "Last Event" recentTime AS "Last Update" |fieldformat "First Event"=strftime('First Event', "%c") |fieldformat "Last Event"=strftime('Last Event', "%c") |fieldformat "Last Update"=strftime('Last Update', "%c") |eval "Minutes Behind"= round(('Last Seen'/60), 2) |eval "Hours Behind"= round(('Last Seen'/3660), 2) |table host, "First Event" "Last Event" "Last Update" "Hours Behind" "Minutes Behind" |sort - "Minutes Behind"
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation | 
|---|---|
| 
 | Return host metadata generated at the time data was written to an index. The metadata command can also be used to see the sources and source types on your network. You can only use the metadata command if you have the get_metadata capability added to your role. | 
| 
 | Calculate a value called "Last Seen" that is now minus the recentTime. | 
| 
 | Search for all values of "Last Seen" that are less than 24 hours. The recentTime field is provided in seconds. | 
| 
 | Rename the fields as shown for better readability. | 
| 
 | Convert the way the time of the first event is displayed into the format of the locale, as defined by the server's operating system. Fieldformat does not change the underlying value of the field. | 
| 
 | Convert "Minutes Behind" from seconds into minutes and round to two decimal places. | 
| 
 | Convert "Hours Behind" from seconds into hours and round to two decimal places. | 
| 
 | Display the results in a table with columns in the order shown. | 
| 
 | Sort the table by "Minutes Behind" with the oldest value first. | 
Next steps
The results include everything your boss asked for, as well as the hours and minutes past the time of search that each host was last active. You can print or export the results table, or click Save As > Report to save it for viewing later.
Finally, you might be interested in other processes associated with the Creating a timebound picture of network activity use case.

