Solved: How to use time modifiers in the dashboard?

kiran331 · ‎10-12-2016

Hi,

How to change the search below to show the events occurred before 2 hrs of specific time, which is passed through token.

latest="$last_time$" if i pass "10/5/2016:20:00:00" then the earliest should be "10/5/2016:18:00:00"

index=wineventlog sourcetype="WinEventLog:Security"  (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="*$" latest=$last_time$ earliest=latest-2h|search user=*|table _time user src_nt_host host EventCode name src_ip

somesoni2 · ‎10-12-2016

Try this for updating search's time range using a subsearch

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [| gentimes start=-1 | eval latest=strptime("$last_time$","%m/%d/%Y:%T") | eval earliest=relative_time(latest, "-2h") | table earliest latest | format ] |search user=* |table _time user src_nt_host host EventCode name src_ip

View solution in original post

somesoni2 · ‎10-12-2016

Try this for updating search's time range using a subsearch

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [| gentimes start=-1 | eval latest=strptime("$last_time$","%m/%d/%Y:%T") | eval earliest=relative_time(latest, "-2h") | table earliest latest | format ] |search user=* |table _time user src_nt_host host EventCode name src_ip

rjthibod · ‎10-12-2016

HA, can't tell if we raced to the bottom or the top 🙂

kiran331 · ‎10-12-2016

Hi Somesoni2,

I'm getting the error " Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side."

rjthibod · ‎10-12-2016

Try using format "" "" "" "" "" "" "" | eval search = replace(search,"\"", "") instead of just format

kiran331 · ‎10-12-2016

Hi rjthibod,
I got his error.
Error in 'format' command: Invalid argument: ''

rjthibod · ‎10-12-2016

Sorry, one double-quote too many

format "" "" "" "" "" "" | eval search = replace(search,"\"", "")

kiran331 · ‎10-12-2016

It Worked. Thanks!

rjthibod · ‎10-12-2016

Great, will update my post

rjthibod · ‎10-12-2016

@somesoni2 beat me by the hair of his chin in posting an answer, so I will relinquish technical karma to him in the hopes it gains me spiritual karma

For posterity sake, this is what I posted (updated based on comments)

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [ | gentimes start=-1 | eval latest = strptime($last_time|s$, "%m/%d/%Y:%T") | eval earliest = relative_time(latest, "-2h") | table latest earliest | format "" "" "" "" "" "" | eval search = replace(search,"\"", "")] |search user=|table _time user src_nt_host host EventCode name src_ip

sundareshr · ‎10-12-2016

Where is $last_time$ set?

kiran331 · ‎10-12-2016

I'm using this search in Dashboard for the form input(text) . it is set for latest field

How to use time modifiers in the dashboard?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation