topic Re: specify time with rest command in Splunk Search

How to specify time with rest command?

sarit_s — Wed, 28 Sep 2022 16:05:56 GMT

Hello,
I have a rest query with a field that contain date and time

Is it possible to limit the search by this field so it will search for the last 15 minutes ?

thanks

Re: specify time with rest command

gcusello — Wed, 28 Sep 2022 08:52:58 GMT

the rest command extract the data, then you can filter this data using the fields containing time and data as all the other fields.

Ciao.

Giuseppe

Re: specify time with rest command

sarit_s — Wed, 28 Sep 2022 08:55:13 GMT

yes, I have this field

but since with rest command the time Peaker is not working i need to get it from the query

something like earliest and latest based on specific field

Re: specify time with rest command

gcusello — Wed, 28 Sep 2022 09:01:21 GMT

Hi @sarit_s,

you cannot use the time picker in the usual way: you have to pass the tokens to the search creating the filters, e.g. if the Time Picker token is called "Time" and the fields containing date (09/28/2022) and time (11:11.22) are "date" and "time"

| rest ..... | eval timestamp=strptime(date.time,"%m/%d/%Y%H:%M:%S") | search timestamp>$Time.earliest$ timestamp<$Time.latest$

Ciao.

Giuseppe

Re: specify time with rest command

sarit_s — Wed, 28 Sep 2022 09:04:08 GMT

thanks

how can i set the tokens ?

Re: specify time with rest command

gcusello — Wed, 28 Sep 2022 09:18:42 GMT

Hi @sarit_s,

you can set the tokens using the Time Picker or another input.

Ciao.

Giuseppe

Re: specify time with rest command

sarit_s — Wed, 28 Sep 2022 09:25:33 GMT

this is my query :

|rest /servicesNS/admin/search/alerts/fired_alerts/- |fields eai:acl.owner savedsearch_name triggered_alert_count trigger_time_rendered | join savedsearch_name [ | rest splunk_server=local count=0 /services/saved/searches | rename title as savedsearch_name | lookup mailingList.csv "action.email.to" OUTPUT teamName | table action.email.to savedsearch_name teamName]

trigger_time_rendere looks like : 2022-09-28 09:20:31 UTC

when inserting this part :

| eval timestamp=strptime(date.time,"%Y/%m/%d%H:%M:%S") | search timestamp>$trigger_time_rendere.earliest$ timestamp<$trigger_time_rendere.latest$

im getting no result at all

Re: specify time with rest command

gcusello — Wed, 28 Sep 2022 09:47:15 GMT

Hi @sarit_s,

to compare timestamps, you have to convert all of them in epochtime:

| eval timestamp=strptime(date.time,"%Y/%m/%d%H:%M:%S"), trigger_time_earliest=strptime($trigger_time_rendere.earliest$,"%Y/%m/%d%H:%M:%S"), trigger_time_latest=strptime($trigger_time_rendere.latest$,"%Y/%m/%d%H:%M:%S") | search timestamp>trigger_time_earliest timestamp<trigger_time_latest

Ciao.

Giuseppe

Re: specify time with rest command

sarit_s — Wed, 28 Sep 2022 09:49:32 GMT

still no results 😞

Re: specify time with rest command

gcusello — Wed, 28 Sep 2022 09:52:45 GMT

Hi @sarit_s,

when I said "date.time" I meant to create a timestamp with the two fields that you said to have, but what are the field names of date and time that you said to have in the rest outputs?

You have to put them in the eval command to create the timestamp field to use in the filter.

Ciao.

Giuseppe

Re: specify time with rest command

sarit_s — Wed, 28 Sep 2022 09:56:42 GMT

i have 1 field with date and time

trigger_time_rendered

|rest /servicesNS/admin/search/alerts/fired_alerts/- |fields eai:acl.owner savedsearch_name triggered_alert_count trigger_time_rendered | eval timestamp=strptime(trigger_time_renderede,"%Y/%m/%d%H:%M:%S"), trigger_time_earliest=strptime($trigger_time_rendered.earliest$,"%Y/%m/%d%H:%M:%S"), trigger_time_latest=strptime($trigger_time_rendered.latest$,"%Y/%m/%d%H:%M:%S") | search timestamp>trigger_time_earliest timestamp<trigger_time_latest | join savedsearch_name [ | rest splunk_server=local count=0 /services/saved/searches | rename title as savedsearch_name | lookup mailingList.csv "action.email.to" OUTPUT teamName | table action.email.to savedsearch_name teamName]

the fact that it contains also the TZ related ? maybe it should be also part of the convert ?

Re: specify time with rest command

gcusello — Wed, 28 Sep 2022 10:01:48 GMT

Hi @sarit_s,

please try this:

| eval trigger_time_rendere=strptime(trigger_time_rendere,"%Y/%m/%d%H:%M:%S"), | search trigger_time_rendere>$Time.earliest$ trigger_time_rendere<$Time.latest$

if it doesn't run, please tell me the result of:

| eval trigger_time_rendere=strptime(trigger_time_rendere,"%Y/%m/%d%H:%M:%S"), | table trigger_time_rendere $Time.earliest$ $Time.latest$

Ciao.

Giuseppe

Re: specify time with rest command

sarit_s — Wed, 28 Sep 2022 10:05:20 GMT

no results for both

what is it 'Time' ? I don't have such field

Re: specify time with rest command

gcusello — Wed, 28 Sep 2022 10:07:48 GMT

Hi @sarit_s,

as I said in my first answer "Time" is the Time Picker Token.

Ciao.

Giuseppe

Re: specify time with rest command

sarit_s — Wed, 28 Sep 2022 10:59:53 GMT

ok.. so ive added the token and still nothing

|rest /servicesNS/admin/search/alerts/fired_alerts/- |fields eai:acl.owner savedsearch_name triggered_alert_count trigger_time_rendered | eval timestamp=strptime(trigger_time_rendered,"%Y/%m/%d%H:%M:%S"), trigger_time_earliest=strptime($last_15_mins.earliest$,"%Y/%m/%d%H:%M:%S"), trigger_time_latest=strptime($last_15_mins.latest$,"%Y/%m/%d%H:%M:%S") | search timestamp>trigger_time_earliest timestamp<trigger_time_latest | join savedsearch_name [ | rest splunk_server=local count=0 /services/saved/searches | rename title as savedsearch_name | lookup mailingList.csv "action.email.to" OUTPUT teamName | table action.email.to savedsearch_name teamName]

Re: specify time with rest command

gcusello — Wed, 28 Sep 2022 11:10:41 GMT

Hi @sarit_s,

if the forma of trigger_time_rendere is like : 2022-09-28 09:20:31 UTC

the eval isn't correct, please replace this:

| rest /servicesNS/admin/search/alerts/fired_alerts/- | fields eai:acl.owner savedsearch_name triggered_alert_count trigger_time_rendered | eval timestamp=strptime(trigger_time_rendered,"%Y-%m-%d %H:%M:%S %Z"), trigger_time_earliest=strptime($last_15_mins.earliest$,"%Y/%m/%d%H:%M:%S"), trigger_time_latest=strptime($last_15_mins.latest$,"%Y/%m/%d%H:%M:%S") | search timestamp>trigger_time_earliest timestamp<trigger_time_latest | join savedsearch_name [ | rest splunk_server=local count=0 /services/saved/searches | rename title as savedsearch_name | lookup mailingList.csv "action.email.to" OUTPUT teamName | table action.email.to savedsearch_name teamName]

Ciao.

Giuseppe

Re: specify time with rest command

sarit_s — Wed, 28 Sep 2022 12:03:29 GMT

still nothing 😞

Re: specify time with rest command

gcusello — Wed, 28 Sep 2022 12:20:24 GMT

Hi @sarit_s,

please execute this and tell me the results:

| rest /servicesNS/admin/search/alerts/fired_alerts/- | fields eai:acl.owner savedsearch_name triggered_alert_count trigger_time_rendered | eval timestamp=strptime(trigger_time_rendered,"%Y-%m-%d %H:%M:%S %Z"), trigger_time_earliest=strptime($last_15_mins.earliest$,"%Y/%m/%d%H:%M:%S"), trigger_time_latest=strptime($last_15_mins.latest$,"%Y/%m/%d%H:%M:%S") | table timestamp trigger_time_rendered trigger_time_earliest $last_15_mins.earliest$ trigger_time_latest $last_15_mins.latest$

check if you have all the values and if the format is correct.

Ciao.

Giuseppe

Re: specify time with rest command

sarit_s — Wed, 28 Sep 2022 12:24:07 GMT

only timestamp and

trigger_time_rendered

has values, all the rest are empty

maybe im getting the wrong token, i took it from
settings -->user interface » Time ranges

Re: specify time with rest command

gcusello — Wed, 28 Sep 2022 12:35:23 GMT

Hi @sarit_s,

no, you have to take the token in your dashboard, in the Time Picker.

The token name is setted by you.

Ciao.

Giuseppe