I am trying to use Earliesttime and Latesttime in splunk query in order to simulate the REST API (running the query from the search), but for some reason it doesn't work with Data model. With index="main" (without DM) it does work.
Query that is working:
index="main" | search src="ABC" app="win:unknown" earliest_time=-24h latest_time=now()
Query that is not working:
| from datamodel:"Authentication"."Failed_Authentication" | search src="ABC" app="win:unknown" earliest_time=-24h latest_time=now()
By working i mean that the time range is showing 24h:
(8/24/19 11:18:13.000 AM to 8/25/19 11:18:13.000 AM)
Thanks for the helpers!!
I am not very clear on this - ' and it also doesn't refer to the time inside the query, but to the time in the time picker.time picker set to 15 minutes.'
it will calculate the time from now() till 15 mins. ago . when you run index=xyz earliesttime=-15min latesttime=now()
This also will run from 15 mins ago to now(), now() being the splunk system time.
so if i run this | tstats values FROM datamodel=internalserver where nodename=server.scheduler.alerts earliesttime=-15min latesttime=now()
i ran this for -24 h with 15 mins in the timepicker, ad you can see - values(datemday) has 24 and 25, that is yesterday and today and values(date_hour) of course, has hours0-23. Does not look like this for you?
tstats is a good and recommended way to search accelarated datamodels, you can rename values(fields) as your chosen field names. tstats values returns the values associated with the datamodel.
Coming to the timepicker issue, it does not matter what value you choose from the timepicker WHERE you have defined time modifiers in the query, this is a default functionality. time modifier will always over ride the time picker, that is true in general for any splunk query. why would you assign time modifiers if you want a selection based on the time picker?
'The most weird thing is that the original query does work on other system. ' are you saying this in reference to your datamodel query , that is this one - | from datamodel:"Authentication"."FailedAuthentication"
| search src="ABC" app="win:unknown" earliesttime=-24h latest_time=now()
If yes, it could be a permission issue. can you check permissions under this - Settings->Data models?
if the users who are able to use the above query exist, they are perhaps in the admin role.
Alternatively, you can also assign the accelerate_search capability to the users who are not able to run this datamodel search. All this however is assuming that the above datamodel query works for some users.
Can you check it out?
I don't want the selection to be base on the time picker, but it does it any way (i get "7,966 events (8/25/19 2:01:19.000 PM to 8/25/19 2:16:19.000 PM") instead of a time window of 24 hours).
I am familiar with this command, but i still have to use "from datamodel".
I already checked the permissions, i have all necessary ones.
The two systems a a bit different. Both in aspect of cloud vs enterprise and versions 22.214.171.124 vs 7.3
| from datamodel:"Authentication"."FailedAuthentication"
| search src="ABC" app="win:unknown" earliesttime=-24h latesttime=now()|
where _time >= relativetime(now(),"-24h")
does this work?
| tstats values FROM datamodel=internalserver where nodename=server.scheduler.alerts earliesttime=-24h latest_time=now()
this works on the internal_server and should work for you as it runs on the default internal index.
if this runs all you need to do is replace the datamodel name with yours
I ran your query and it also doesn't refer to the time inside the query, but to the time in the time picker.
time picker set to 15 minutes.
"| tstats values FROM datamodel=internalserver where nodename=server.scheduler.alerts earliesttime=-24h latest_time=now()"
Complete 7,966 events (8/25/19 2:01:19.000 PM to 8/25/19 2:16:19.000 PM)