Solved: Re: how to add a timeformat for a search which con...

pavanae · ‎09-12-2016

I have a search as follows

earliest="08/01/2016:00:00:01" latest="08/01/2016:23:59:59" getABCsWin("XYZ","abc12345678")

Now how can I add the time format string as mentioned below for all the searches contains unique search string "getABCsWin"

timeformat="%d/%m/%Y:%H:%M:%S”

Is it something I need to add in macros.conf if yes. How can I add it?

sundareshr · ‎09-12-2016

You can edit the getABCsWin macro from the GUI. All (permissions) macros can be found at Settings > Advanced Search > Search macros.

View solution in original post

sundareshr · ‎09-12-2016

You can edit the getABCsWin macro from the GUI. All (permissions) macros can be found at Settings > Advanced Search > Search macros.

pavanae · ‎09-12-2016

so in search macros do I need click new and add the macro?
Can you explain a little detail? I would really appreciate your help?

sundareshr · ‎09-12-2016

It looks like the macro already exists. When you click on "Search Macros", it will list all the macros. Find the one called getABCsWin edit the definition & save.

pavanae · ‎09-12-2016

I need to create a new macro for this scenario..
https://answers.splunk.com/answers/451935/how-to-create-a-macro-for-the-below-scenario.html?minQuest...

how to add a timeformat for a search which contains an unique string in macros.conf?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?