adding time fields for fr #8

Signed-off-by: Zach Christensen <23529374+ZachChristensen28@users.noreply.github.com>
splunk · Aug 27, 2022 · 04d8acb · 04d8acb
1 parent 9fc2a17
commit 04d8acb
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/src/SA-CrowdstrikeDevices/default/savedsearches.conf b/src/SA-CrowdstrikeDevices/default/savedsearches.conf
@@ -35,6 +35,11 @@ search = `sa_crowdstrike_index` sourcetype="crowdstrike:device:json" \
     "cs_tags:".lower(replace(mvjoin('falcon_device.tags{}', ","),"(?i)FalconGroupingTags/|sensorgroupingtags/", "")),\
     "gen:sa-crowdstrike"\
     ))), "|"), " |-", "_"), "(?:\|[^:]+:[_]+)(\|*)", "\1"),\
+    category=category."|".mvjoin(mvappend(\
+    "cs_first_seen:".strftime(strptime('falcon_device.first_seen',"%FT%T%Z"), "%x %T %Z"),\
+    "cs_last_seen:".strftime(strptime('falcon_device.last_seen',"%FT%T%Z"), "%x %T %Z"),\
+    "splunk_last_updated:".strftime(now(), "%x %T %Z")\
+    ), "|"),\
     nt_host=lower('falcon_device.hostname'),\
     dns=lower(nt_host.".".'falcon_device.machine_domain'),\
     mac=lower(replace('falcon_device.mac_address', "-", ":")),\