How to specify a day in the alert?

theouhuios · ‎06-21-2013

Hello

I have a search which creates thresholds and outputs it into a lookup. As of now its looking at 4hr spans, but I want it to look at data at some precise intervals. Like earliest starts at 12:00 AM and the latest ends at 11:59:59 PM. I can then use buckets of 4h span. How do I specify the exact time in earliest and latest? I do know that I can create a search for earliest at -4h@h and latest at @h and run it every 4 hours and schedule it at 12:00 , but that doesn't seem to give exact results.

I thought of doing it in seconds, but I am wondering on how do I do it.

Please let me know .

Thanks

aholzer · ‎06-21-2013

Use the "snap to" function for your earliest and latest and then just add hours, minutes and seconds equivalent to where you want it to reach.

earliest=-4h@d <= this will snap to 00:00:00 of the given day the -4h calculates to. Examples: you run the search at 5pm, it will snap to 00:00:00 of today. If you run the search at 2am, it will snap to 00:00:00 of yesterday.

latest=-1m@d+23h+59m+59s <= this will snap to 00:00:00 of the given day the -1m calculates to, and then will add 23 hours, 59 minutes, and 59 seconds

Hope this helps

aholzer · ‎07-09-2013

Apparently @d+24h-1s is valid as well. Rather than having to specify @d+23h+59m+59s

sdaniels · ‎06-21-2013

you could use the weekday modifiers like @w0 (Sunday). This would give you the last full business week earliest=-7d@w1 latest=@w6 and then you could bucket it by 4 hour time windows.

How to specify a day in the alert?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?