topic Re: Earliest_time and Latest_time in Splunk Search

Earliest_time and Latest_time

astatrial — Wed, 30 Sep 2020 01:53:17 GMT

Hi all,
I am trying to use Earliest_time and Latest_time in splunk query in order to simulate the REST API (running the query from the search), but for some reason it doesn't work with Data model. With index="main" (without DM) it does work.
I am
Query that is working:

index="main"
| search src="ABC" app="win:unknown" earliest_time=-24h latest_time=now()

Query that is not working:

| from datamodel:"Authentication"."Failed_Authentication" 
| search src="ABC" app="win:unknown" earliest_time=-24h latest_time=now()

By working i mean that the time range is showing 24h:

 (8/24/19 11:18:13.000 AM to 8/25/19 11:18:13.000 AM)

Thanks for the helpers!!

Re: Earliest_time and Latest_time

Sukisen1981 — Wed, 30 Sep 2020 01:53:20 GMT

| from datamodel:"Authentication"."Failed_Authentication"
| search src="ABC" app="win:unknown" earliest_time=-24h latest_time=now()|
where _time >= relative_time(now(),"-24h")
does this work?

Re: Earliest_time and Latest_time

astatrial — Sun, 25 Aug 2019 09:19:40 GMT

Doesn't work either.

Re: Earliest_time and Latest_time

Sukisen1981 — Sun, 25 Aug 2019 09:23:00 GMT

hmm could we see a bit more
if you do | datamodel
what is the output (can you paste a screengrab?) can you see time in the output?

Re: Earliest_time and Latest_time

Sukisen1981 — Sun, 25 Aug 2019 09:27:45 GMT

see the json output carefully, i suspect any reference to 'time' is missing

Re: Earliest_time and Latest_time

astatrial — Sun, 25 Aug 2019 10:42:00 GMT

I added two pics.
You can see there that the data model has a _time field.
Also when i table the results by _time i have results.

Re: Earliest_time and Latest_time

Sukisen1981 — Wed, 30 Sep 2020 01:53:26 GMT

| tstats values FROM datamodel=internal_server where nodename=server.scheduler.alerts earliest_time=-24h latest_time=now()

this works on the internal_server and should work for you as it runs on the default internal index.
if this runs all you need to do is replace the datamodel name with yours

Re: Earliest_time and Latest_time

astatrial — Wed, 30 Sep 2020 01:53:29 GMT

I ran your query and it also doesn't refer to the time inside the query, but to the time in the time picker.
time picker set to 15 minutes.

"| tstats values FROM datamodel=internal_server where nodename=server.scheduler.alerts earliest_time=-24h latest_time=now()"

Complete 7,966 events (8/25/19 2:01:19.000 PM to 8/25/19 2:16:19.000 PM)

Re: Earliest_time and Latest_time

Sukisen1981 — Wed, 30 Sep 2020 01:53:31 GMT

hi @astatrial
I am not very clear on this - ' and it also doesn't refer to the time inside the query, but to the time in the time picker.time picker set to 15 minutes.'
it will calculate the time from now() till 15 mins. ago . when you run index=xyz earliest_time=-15min latest_time=now()
This also will run from 15 mins ago to now(), now() being the splunk system time.
so if i run this | tstats values FROM datamodel=internal_server where nodename=server.scheduler.alerts earliest_time=-15min latest_time=now()
i ran this for -24 h with 15 mins in the timepicker, ad you can see - values(date_mday) has 24 and 25, that is yesterday and today and values(date_hour) of course, has hours0-23. Does not look like this for you?

Re: Earliest_time and Latest_time

astatrial — Sun, 25 Aug 2019 12:06:12 GMT

Yes this is exactly what i say.
I have to use from datamodel and not tstats any way.
The most weird thing is that the original query does work on other system.

Re: Earliest_time and Latest_time

Sukisen1981 — Wed, 30 Sep 2020 01:53:34 GMT

hi @astatrial
tstats is a good and recommended way to search accelarated datamodels, you can rename values(fields) as your chosen field names. tstats values returns the values associated with the datamodel.
Coming to the timepicker issue, it does not matter what value you choose from the timepicker WHERE you have defined time modifiers in the query, this is a default functionality. time modifier will always over ride the time picker, that is true in general for any splunk query. why would you assign time modifiers if you want a selection based on the time picker?

'The most weird thing is that the original query does work on other system. ' are you saying this in reference to your datamodel query , that is this one - | from datamodel:"Authentication"."Failed_Authentication"
| search src="ABC" app="win:unknown" earliest_time=-24h latest_time=now()

If yes, it could be a permission issue. can you check permissions under this - Settings->Data models?
if the users who are able to use the above query exist, they are perhaps in the admin role.
Alternatively, you can also assign the accelerate_search capability to the users who are not able to run this datamodel search. All this however is assuming that the above datamodel query works for some users.
Can you check it out?

Re: Earliest_time and Latest_time

astatrial — Sun, 25 Aug 2019 12:43:51 GMT

I don't want the selection to be base on the time picker, but it does it any way (i get "7,966 events (8/25/19 2:01:19.000 PM to 8/25/19 2:16:19.000 PM") instead of a time window of 24 hours).

I am familiar with this command, but i still have to use "from datamodel".

I already checked the permissions, i have all necessary ones.

The two systems a a bit different. Both in aspect of cloud vs enterprise and versions 7.0.9.1 vs 7.3