Hi,
How to change the search below to show the events occurred before 2 hrs of specific time, which is passed through token.
latest="$last_time$" if i pass "10/5/2016:20:00:00" then the earliest should be "10/5/2016:18:00:00"
index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="*$" latest=$last_time$ earliest=latest-2h|search user=*|table _time user src_nt_host host EventCode name src_ip
Try this for updating search's time range using a subsearch
index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [| gentimes start=-1 | eval latest=strptime("$last_time$","%m/%d/%Y:%T") | eval earliest=relative_time(latest, "-2h") | table earliest latest | format ] |search user=* |table _time user src_nt_host host EventCode name src_ip
Try this for updating search's time range using a subsearch
index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [| gentimes start=-1 | eval latest=strptime("$last_time$","%m/%d/%Y:%T") | eval earliest=relative_time(latest, "-2h") | table earliest latest | format ] |search user=* |table _time user src_nt_host host EventCode name src_ip
HA, can't tell if we raced to the bottom or the top 🙂
Hi Somesoni2,
I'm getting the error " Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side."
Try using format "" "" "" "" "" "" "" | eval search = replace(search,"\"", "")
instead of just format
Hi rjthibod,
I got his error.
Error in 'format' command: Invalid argument: ''
Sorry, one double-quote too many
format "" "" "" "" "" "" | eval search = replace(search,"\"", "")
It Worked. Thanks!
Great, will update my post
@somesoni2 beat me by the hair of his chin in posting an answer, so I will relinquish technical karma to him in the hopes it gains me spiritual karma
For posterity sake, this is what I posted (updated based on comments)
index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [ | gentimes start=-1 | eval latest = strptime($last_time|s$, "%m/%d/%Y:%T") | eval earliest = relative_time(latest, "-2h") | table latest earliest | format "" "" "" "" "" "" | eval search = replace(search,"\"", "")] |search user=|table _time user src_nt_host host EventCode name src_ip
Where is $last_time$
set?
I'm using this search in Dashboard for the form input(text) . it is set for latest field