Archive
Highlighted

from command with time modifers

Communicator

Hi all,
I am trying to add time modifiers to "from" command ,from within the query, with not much of a luck.
An example for the command is:

| from datamodel:"Authentication"."Failed_Authentication" | search dest="Host1" app="win:local"

Can anyone help me figuring this out ?

0 Karma
Highlighted

Re: from command with time modifers

Esteemed Legend

This answer shows you how to use a macro in the same way that you are using from datamodel which means that you can use earliest and latest in-line in the normal way (UpVotes appreciated):
https://answers.splunk.com/answers/716936/splunk-server-field-is-not-available-when-we-searc.html

0 Karma
Highlighted

Re: from command with time modifers

Communicator

Thanks for your response.
It is not what i was looking for exactly.
The problem is only with "from" command. tstats command can be used with time modifiers.
Also i have splunk cloud so it is a bit of a problem to add the macros to the file.

0 Karma