Dashboards & Visualizations

How to use time modifiers in the dashboard?

kiran331
Builder

Hi,

How to change the search below to show the events occurred before 2 hrs of specific time, which is passed through token.

latest="$last_time$" if i pass "10/5/2016:20:00:00" then the earliest should be "10/5/2016:18:00:00"

index=wineventlog sourcetype="WinEventLog:Security"  (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="*$" latest=$last_time$ earliest=latest-2h|search user=*|table _time user src_nt_host host EventCode name src_ip
Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this for updating search's time range using a subsearch

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [| gentimes start=-1 | eval latest=strptime("$last_time$","%m/%d/%Y:%T") | eval earliest=relative_time(latest, "-2h") | table earliest latest | format ] |search user=* |table _time user src_nt_host host EventCode name src_ip

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try this for updating search's time range using a subsearch

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [| gentimes start=-1 | eval latest=strptime("$last_time$","%m/%d/%Y:%T") | eval earliest=relative_time(latest, "-2h") | table earliest latest | format ] |search user=* |table _time user src_nt_host host EventCode name src_ip

rjthibod
Champion

HA, can't tell if we raced to the bottom or the top 🙂

0 Karma

kiran331
Builder

Hi Somesoni2,

I'm getting the error " Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side."

0 Karma

rjthibod
Champion

Try using format "" "" "" "" "" "" "" | eval search = replace(search,"\"", "") instead of just format

0 Karma

kiran331
Builder

Hi rjthibod,
I got his error.
Error in 'format' command: Invalid argument: ''

0 Karma

rjthibod
Champion

Sorry, one double-quote too many

format "" "" "" "" "" "" | eval search = replace(search,"\"", "")

kiran331
Builder

It Worked. Thanks!

0 Karma

rjthibod
Champion

Great, will update my post

0 Karma

rjthibod
Champion

@somesoni2 beat me by the hair of his chin in posting an answer, so I will relinquish technical karma to him in the hopes it gains me spiritual karma

For posterity sake, this is what I posted (updated based on comments)

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [ | gentimes start=-1 | eval latest = strptime($last_time|s$, "%m/%d/%Y:%T") | eval earliest = relative_time(latest, "-2h") | table latest earliest | format "" "" "" "" "" "" | eval search = replace(search,"\"", "")] |search user=|table _time user src_nt_host host EventCode name src_ip

sundareshr
Legend

Where is $last_time$ set?

0 Karma

kiran331
Builder

I'm using this search in Dashboard for the form input(text) . it is set for latest field

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...