Earliest and latest time URL parameter

mteverest · ‎02-09-2020

Hi, I have a scheduled search in Splunk with the following link in the description field [1] and would like to capture the 'earliest=' part of the URL to match the actual event time AND have the 'latest=' part of the URL to be 5 minutes after the event time.

Raw scheduled search link:
[1] https://splunkserver.blah/en-US/app/search/search?q=$search$&earliest=$trigger_time$&latest=$trigger...

Example scenerio:

Event time: 2/10/20 8:15:13.000 AM

Search query: index=windows EventCode=4624 LogonType=3 User=john.smith

When the alert triggers, the above scheduled search link turns into something like this:
[2] https://splunkserver.blah/en-US/app/search/search?q=index=windows EventCode=4624 LogonType=3 User=john.smith&earliest=1581282963.14079&latest=1581282963.14079

When I open the link above [2], I get an error of 'Invalid latest_time: latest_time must be after ealiest_time.'. The epoch time captured is the time of when the alert triggered.

Does anyone know how to capture the actual event time?

to4kawa · ‎02-10-2020

[1] https://splunkserver.blah/en-US/app/search/search?q=$search$&earliest=$result._time$&latest=$trigger...

how about this?

mteverest · ‎02-10-2020

Thanks, that worked! Is it possible to have the 'earliest=' and 'latest=' have -/+ 300 epoch (5 mins) from the event time?

to4kawa · ‎02-12-2020

in search, use eval

Earliest and latest time URL parameter

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life