Dashboards & Visualizations

How to use time modifiers in the dashboard?

kiran331
Builder

Hi,

How to change the search below to show the events occurred before 2 hrs of specific time, which is passed through token.

latest="$last_time$" if i pass "10/5/2016:20:00:00" then the earliest should be "10/5/2016:18:00:00"

index=wineventlog sourcetype="WinEventLog:Security"  (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="*$" latest=$last_time$ earliest=latest-2h|search user=*|table _time user src_nt_host host EventCode name src_ip
Tags (2)
0 Karma
1 Solution

somesoni2
Revered Legend

Try this for updating search's time range using a subsearch

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [| gentimes start=-1 | eval latest=strptime("$last_time$","%m/%d/%Y:%T") | eval earliest=relative_time(latest, "-2h") | table earliest latest | format ] |search user=* |table _time user src_nt_host host EventCode name src_ip

View solution in original post

somesoni2
Revered Legend

Try this for updating search's time range using a subsearch

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [| gentimes start=-1 | eval latest=strptime("$last_time$","%m/%d/%Y:%T") | eval earliest=relative_time(latest, "-2h") | table earliest latest | format ] |search user=* |table _time user src_nt_host host EventCode name src_ip

rjthibod
Champion

HA, can't tell if we raced to the bottom or the top 🙂

0 Karma

kiran331
Builder

Hi Somesoni2,

I'm getting the error " Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side."

0 Karma

rjthibod
Champion

Try using format "" "" "" "" "" "" "" | eval search = replace(search,"\"", "") instead of just format

0 Karma

kiran331
Builder

Hi rjthibod,
I got his error.
Error in 'format' command: Invalid argument: ''

0 Karma

rjthibod
Champion

Sorry, one double-quote too many

format "" "" "" "" "" "" | eval search = replace(search,"\"", "")

kiran331
Builder

It Worked. Thanks!

0 Karma

rjthibod
Champion

Great, will update my post

0 Karma

rjthibod
Champion

@somesoni2 beat me by the hair of his chin in posting an answer, so I will relinquish technical karma to him in the hopes it gains me spiritual karma

For posterity sake, this is what I posted (updated based on comments)

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [ | gentimes start=-1 | eval latest = strptime($last_time|s$, "%m/%d/%Y:%T") | eval earliest = relative_time(latest, "-2h") | table latest earliest | format "" "" "" "" "" "" | eval search = replace(search,"\"", "")] |search user=|table _time user src_nt_host host EventCode name src_ip

sundareshr
Legend

Where is $last_time$ set?

0 Karma

kiran331
Builder

I'm using this search in Dashboard for the form input(text) . it is set for latest field

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...