topic Re: How to get searches with time range as All Time? in Splunk Search

How to get searches with time range as All Time?

Taruchit — Thu, 29 Aug 2024 18:06:50 GMT

Hello All,

I need to search for SPLs having time range as All time. I used the below SPL:-

index=_audit action=search provenance=* info=completed host IN (...) |table user, apiStartTime, apiEndTime, search_,et, search_lt, search |search apiStartTime='ZERO_TIME' OR apiEndTime='ZERO_TIME' |convert ctime(search_*)

I get results with

apiStartTime as Empty

apiEndTime as 'ZERO_TIME'

search_et 07/31/2024 00:00:00

search_lt 08/29/2024 13:10:58

Thus, how do I interpret the above results and how do I modify the SPL to fetch correct results?

Thank you

Taruchit

Re: How to get searches with time range as All Time?

gcusello — Fri, 30 Aug 2024 06:54:15 GMT

Hi @Taruchit ,

at first don't use the search command when you cn put all the parameters in the main search.

Then I'd avoid to use all time in a search because you could have too many events, but define a useful timerange.

index=_audit action=search provenance=* info=completed host IN (...) (apiStartTime="ZERO_TIME" OR apiEndTime="ZERO_TIME") | table user, apiStartTime, apiEndTime, search_,et, search_lt, search | convert ctime(search_*)

about the meaning of the results, they dependsa on the parameters you defined, probably with apiEndTime="ZERO_TIME" you don't have the apiStartTime field.

Analyze your search and modify it to have the best results for you.

Ciao.

Giuseppe

Re: How to get searches with time range as All Time?

ITWhisperer — Fri, 30 Aug 2024 07:37:39 GMT

apiStartTime and apiEndTime are not set when info=completed but are set when info=granted - try something like this

index=_audit action=search provenance=* info=granted host IN (...) (apiStartTime="ZERO_TIME" OR apiEndTime="ZERO_TIME") | table user, apiStartTime, apiEndTime, search_et, search_lt, search | convert ctime(search_*)