topic Re: time now to 24 hours earlier search with %H:%M:%S AM/PM, %a %m/%d/%Y format in Splunk Search

How do you set up the search so that it will search for the last 24 hours using the current date?

flynegal — Mon, 18 Sep 2023 22:09:21 GMT

Splunk newby here. I have a search that works if I change it every day but would like to add it to a dashboard for monitoring without having to change the date. It looks for all the newly created accounts in the current/past day, depending on what date I put in. The search is index=Activedirectory whenCreated="*,9/15/23" |table whenCreated, name, manager, title, description then search for last 24 hours. The format of the time is %H:%M:%S AM/PM, %a %m/%d/%Y. The 2 issues I am having are, how do you specify the AM/PM and how do you set up the search so that it will search for the last 24 hours using the current date. I was thinking it is "time()" but I am not successful in getting the results I need.

Re: time now to 24 hours earlier search with %H:%M:%S AM/PM, %a %m/%d/%Y format

ITWhisperer — Sat, 16 Sep 2023 06:16:49 GMT

You can override the time picker by setting earliest and latest on your initial search line

index=Activedirectory earliest=-24h latest=now()

Re: time now to 24 hours earlier search with %H:%M:%S AM/PM, %a %m/%d/%Y format

bowesmana — Mon, 18 Sep 2023 00:17:22 GMT

Does the _time of the event equate to the time of the whenCreated field?

If your event time is different to the whenCreated value, then if you want to find all accounts created in the past day, you need to know what the event times will be for those events - Splunk will always retrieve events from a given time window you specify.

If you just search for -24h to now then if you have events where the whenCreated date is older than 24 hours ago then you need to parse that field and compare, i.e.

... | eval created=strptime(whenCreated, "%I:%M:%S %p, %a %m/%d/%y" | where created>=relative_time(now(), "-24h")

As for your time format string, there are a 3 issues

%H is a 24 hour clock and as you have AM/PM in your time string, you would use %I to parse a 12 hour format.
%p is the notation for AM/PM
%Y is a 4 digit year - your whenCreated date is only 2 digits, in which case you should use %y

See the docs here

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Commontimeformatvariables

Re: time now to 24 hours earlier search with %H:%M:%S AM/PM, %a %m/%d/%Y format

flynegal — Wed, 20 Sep 2023 12:45:55 GMT

You will need a closing parenthesis in the eval statement if you copy and paste this solution. Thank you for the assist!

| eval created=strptime(whenCreated, "%I:%M:%S %p, %a %m/%d/%y")
| where created>=relative_time(now(), "-48h")