Hi Splunkers,
I have the events getting ingested as below:
timestamp patch_version
hostname
Now,I want to create one lookup csv named 'PatchDate' which contains columns with values
Host,MaxAge
default,30
Now,I want to implement two logic:
1.For each event received generate the MAXAGE value to be used.
IF == Host ]
THEN
Use the MaxAge value.
ELSE
Use the MaxAge value for ( Host == “default” )
END-IF
2. Calculate the DAYSSINCECHANGE for the
Generate current TimeStamp => (need to write a rex command as field is not extracted)
Calculate Difference between and for event => DIFFERENCE
IF DIFFERENCE > 30
THEN It will throw alert.
Kindly help me to build the query.
TIA
↧