Dashboards & Visualizations

How to use time modifiers in the dashboard?

Builder

Hi,

How to change the search below to show the events occurred before 2 hrs of specific time, which is passed through token.

latest="$last_time$" if i pass "10/5/2016:20:00:00" then the earliest should be "10/5/2016:18:00:00"

index=wineventlog sourcetype="WinEventLog:Security"  (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="*$" latest=$last_time$ earliest=latest-2h|search user=*|table _time user src_nt_host host EventCode name src_ip
Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this for updating search's time range using a subsearch

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [| gentimes start=-1 | eval latest=strptime("$last_time$","%m/%d/%Y:%T") | eval earliest=relative_time(latest, "-2h") | table earliest latest | format ] |search user=* |table _time user src_nt_host host EventCode name src_ip

View solution in original post

SplunkTrust
SplunkTrust

Try this for updating search's time range using a subsearch

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [| gentimes start=-1 | eval latest=strptime("$last_time$","%m/%d/%Y:%T") | eval earliest=relative_time(latest, "-2h") | table earliest latest | format ] |search user=* |table _time user src_nt_host host EventCode name src_ip

View solution in original post

Champion

HA, can't tell if we raced to the bottom or the top 🙂

0 Karma

Builder

Hi Somesoni2,

I'm getting the error " Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side."

0 Karma

Champion

Try using format "" "" "" "" "" "" "" | eval search = replace(search,"\"", "") instead of just format

0 Karma

Builder

Hi rjthibod,
I got his error.
Error in 'format' command: Invalid argument: ''

0 Karma

Champion

Sorry, one double-quote too many

format "" "" "" "" "" "" | eval search = replace(search,"\"", "")

Builder

It Worked. Thanks!

0 Karma

Champion

Great, will update my post

0 Karma

Champion

@somesoni2 beat me by the hair of his chin in posting an answer, so I will relinquish technical karma to him in the hopes it gains me spiritual karma

For posterity sake, this is what I posted (updated based on comments)

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [ | gentimes start=-1 | eval latest = strptime($last_time|s$, "%m/%d/%Y:%T") | eval earliest = relative_time(latest, "-2h") | table latest earliest | format "" "" "" "" "" "" | eval search = replace(search,"\"", "")] |search user=|table _time user src_nt_host host EventCode name src_ip

Legend

Where is $last_time$ set?

0 Karma

Builder

I'm using this search in Dashboard for the form input(text) . it is set for latest field

0 Karma