Solved: How to use time modifiers in the dashboard?

kiran331 · ‎10-12-2016

Hi,

How to change the search below to show the events occurred before 2 hrs of specific time, which is passed through token.

latest="$last_time$" if i pass "10/5/2016:20:00:00" then the earliest should be "10/5/2016:18:00:00"

index=wineventlog sourcetype="WinEventLog:Security"  (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="*$" latest=$last_time$ earliest=latest-2h|search user=*|table _time user src_nt_host host EventCode name src_ip

somesoni2 · ‎10-12-2016

Try this for updating search's time range using a subsearch

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [| gentimes start=-1 | eval latest=strptime("$last_time$","%m/%d/%Y:%T") | eval earliest=relative_time(latest, "-2h") | table earliest latest | format ] |search user=* |table _time user src_nt_host host EventCode name src_ip

View solution in original post

somesoni2 · ‎10-12-2016

Try this for updating search's time range using a subsearch

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [| gentimes start=-1 | eval latest=strptime("$last_time$","%m/%d/%Y:%T") | eval earliest=relative_time(latest, "-2h") | table earliest latest | format ] |search user=* |table _time user src_nt_host host EventCode name src_ip

rjthibod · ‎10-12-2016

HA, can't tell if we raced to the bottom or the top 🙂

kiran331 · ‎10-12-2016

Hi Somesoni2,

I'm getting the error " Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side."

rjthibod · ‎10-12-2016

Try using format "" "" "" "" "" "" "" | eval search = replace(search,"\"", "") instead of just format

kiran331 · ‎10-12-2016

Hi rjthibod,
I got his error.
Error in 'format' command: Invalid argument: ''

rjthibod · ‎10-12-2016

Sorry, one double-quote too many

format "" "" "" "" "" "" | eval search = replace(search,"\"", "")

kiran331 · ‎10-12-2016

It Worked. Thanks!

rjthibod · ‎10-12-2016

Great, will update my post

rjthibod · ‎10-12-2016

@somesoni2 beat me by the hair of his chin in posting an answer, so I will relinquish technical karma to him in the hopes it gains me spiritual karma

For posterity sake, this is what I posted (updated based on comments)

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771) Keywords="Audit Failure")) user!="$" [ | gentimes start=-1 | eval latest = strptime($last_time|s$, "%m/%d/%Y:%T") | eval earliest = relative_time(latest, "-2h") | table latest earliest | format "" "" "" "" "" "" | eval search = replace(search,"\"", "")] |search user=|table _time user src_nt_host host EventCode name src_ip

sundareshr · ‎10-12-2016

Where is $last_time$ set?

kiran331 · ‎10-12-2016

I'm using this search in Dashboard for the form input(text) . it is set for latest field

How to use time modifiers in the dashboard?

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?