Re: How can I search for one eventtype for 4 hours...

anuremanan88 · ‎10-04-2017

I have to search for two logs from same index using different time range. For example one eventtype is "login" and the other eventtype is "breach". In a single search i need to search for both eventtypes. But when i do a search for last 4 hrs, it should search eventtype "breach" for last 4 hrs and eventtype "login" for last 8 hrs. Anyone can help me in this?

aholzer · ‎10-04-2017

Something like this should do the trick for you:
(eventtype=breach earliest=-4h@h latest=now) OR (eventtype=login earliest=-8h@h latest=now)

Hope this helps

anuremanan88 · ‎10-04-2017

Thanks for the reply. Here i need to search time using input filter. I use input token for this. My search would look like this

(eventtype=breach earliest=$token.earliest$ latest=now) OR (eventtype=login earliest=$token.earliest$-4h latest=now).

But its not working

aholzer · ‎10-04-2017

it's because you can't do -4h of a token.

Here's an answer that solved modifying tokens. It's not pretty, but it should get the work done.

How can I search for one eventtype for 4 hours and a second eventtype for 8 hours in the same search?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How can I search for one eventtype for 4 hours and a second eventtype for 8 hours in the same search?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...