Earliest and latest time URL parameter

mteverest · ‎02-09-2020

Hi, I have a scheduled search in Splunk with the following link in the description field [1] and would like to capture the 'earliest=' part of the URL to match the actual event time AND have the 'latest=' part of the URL to be 5 minutes after the event time.

Raw scheduled search link:
[1] https://splunkserver.blah/en-US/app/search/search?q=$search$&earliest=$trigger_time$&latest=$trigger...

Example scenerio:

Event time: 2/10/20 8:15:13.000 AM

Search query: index=windows EventCode=4624 LogonType=3 User=john.smith

When the alert triggers, the above scheduled search link turns into something like this:
[2] https://splunkserver.blah/en-US/app/search/search?q=index=windows EventCode=4624 LogonType=3 User=john.smith&earliest=1581282963.14079&latest=1581282963.14079

When I open the link above [2], I get an error of 'Invalid latest_time: latest_time must be after ealiest_time.'. The epoch time captured is the time of when the alert triggered.

Does anyone know how to capture the actual event time?

to4kawa · ‎02-10-2020

[1] https://splunkserver.blah/en-US/app/search/search?q=$search$&earliest=$result._time$&latest=$trigger...

how about this?

mteverest · ‎02-10-2020

Thanks, that worked! Is it possible to have the 'earliest=' and 'latest=' have -/+ 300 epoch (5 mins) from the event time?

to4kawa · ‎02-12-2020

in search, use eval

Earliest and latest time URL parameter

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting