Splunk Search

Earliest_time and Latest_time

astatrial
Contributor

Hi all,
I am trying to use Earliest_time and Latest_time in splunk query in order to simulate the REST API (running the query from the search), but for some reason it doesn't work with Data model. With index="main" (without DM) it does work.
I am
Query that is working:

index="main"
| search src="ABC" app="win:unknown" earliest_time=-24h latest_time=now()

Query that is not working:

| from datamodel:"Authentication"."Failed_Authentication" 
| search src="ABC" app="win:unknown" earliest_time=-24h latest_time=now()

By working i mean that the time range is showing 24h:

 (8/24/19 11:18:13.000 AM to 8/25/19 11:18:13.000 AM)

alt text
alt text
Thanks for the helpers!!

0 Karma

Sukisen1981
Champion

hi @astatrial
I am not very clear on this - ' and it also doesn't refer to the time inside the query, but to the time in the time picker.time picker set to 15 minutes.'
it will calculate the time from now() till 15 mins. ago . when you run index=xyz earliest_time=-15min latest_time=now()
This also will run from 15 mins ago to now(), now() being the splunk system time.
so if i run this | tstats values FROM datamodel=internal_server where nodename=server.scheduler.alerts earliest_time=-15min latest_time=now()
i ran this for -24 h with 15 mins in the timepicker, ad you can see - values(date_mday) has 24 and 25, that is yesterday and today and values(date_hour) of course, has hours0-23. Does not look like this for you?
alt text

0 Karma

astatrial
Contributor

Yes this is exactly what i say.
I have to use from datamodel and not tstats any way.
The most weird thing is that the original query does work on other system.

0 Karma

Sukisen1981
Champion

hi @astatrial
tstats is a good and recommended way to search accelarated datamodels, you can rename values(fields) as your chosen field names. tstats values returns the values associated with the datamodel.
Coming to the timepicker issue, it does not matter what value you choose from the timepicker WHERE you have defined time modifiers in the query, this is a default functionality. time modifier will always over ride the time picker, that is true in general for any splunk query. why would you assign time modifiers if you want a selection based on the time picker?

'The most weird thing is that the original query does work on other system. ' are you saying this in reference to your datamodel query , that is this one - | from datamodel:"Authentication"."Failed_Authentication"
| search src="ABC" app="win:unknown" earliest_time=-24h latest_time=now()

If yes, it could be a permission issue. can you check permissions under this - Settings->Data models?
if the users who are able to use the above query exist, they are perhaps in the admin role.
Alternatively, you can also assign the accelerate_search capability to the users who are not able to run this datamodel search. All this however is assuming that the above datamodel query works for some users.
Can you check it out?

0 Karma

astatrial
Contributor

I don't want the selection to be base on the time picker, but it does it any way (i get "7,966 events (8/25/19 2:01:19.000 PM to 8/25/19 2:16:19.000 PM") instead of a time window of 24 hours).

I am familiar with this command, but i still have to use "from datamodel".

I already checked the permissions, i have all necessary ones.

The two systems a a bit different. Both in aspect of cloud vs enterprise and versions 7.0.9.1 vs 7.3

0 Karma

Sukisen1981
Champion

| from datamodel:"Authentication"."Failed_Authentication"
| search src="ABC" app="win:unknown" earliest_time=-24h latest_time=now()|
where _time >= relative_time(now(),"-24h")
does this work?

0 Karma

astatrial
Contributor

Doesn't work either.

0 Karma

Sukisen1981
Champion

hmm could we see a bit more
if you do | datamodel
what is the output (can you paste a screengrab?) can you see time in the output?

0 Karma

Sukisen1981
Champion

see the json output carefully, i suspect any reference to 'time' is missing

0 Karma

Sukisen1981
Champion

| tstats values FROM datamodel=internal_server where nodename=server.scheduler.alerts earliest_time=-24h latest_time=now()

this works on the internal_server and should work for you as it runs on the default internal index.
if this runs all you need to do is replace the datamodel name with yours

0 Karma

astatrial
Contributor

I ran your query and it also doesn't refer to the time inside the query, but to the time in the time picker.
time picker set to 15 minutes.

"| tstats values FROM datamodel=internal_server where nodename=server.scheduler.alerts earliest_time=-24h latest_time=now()"

Complete 7,966 events (8/25/19 2:01:19.000 PM to 8/25/19 2:16:19.000 PM)

0 Karma

astatrial
Contributor

I added two pics.
You can see there that the data model has a _time field.
Also when i table the results by _time i have results.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...