Splunk Enterprise Security

Earliest and latest time URL parameter

mteverest
New Member

Hi, I have a scheduled search in Splunk with the following link in the description field [1] and would like to capture the 'earliest=' part of the URL to match the actual event time AND have the 'latest=' part of the URL to be 5 minutes after the event time.

Raw scheduled search link:
[1] https://splunkserver.blah/en-US/app/search/search?q=$search$&earliest=$trigger_time$&latest=$trigger...

Example scenerio:

Event time: 2/10/20 8:15:13.000 AM

Search query: index=windows EventCode=4624 LogonType=3 User=john.smith

When the alert triggers, the above scheduled search link turns into something like this:
[2] https://splunkserver.blah/en-US/app/search/search?q=index=windows EventCode=4624 LogonType=3 User=john.smith&earliest=1581282963.14079&latest=1581282963.14079

When I open the link above [2], I get an error of 'Invalid latest_time: latest_time must be after ealiest_time.'. The epoch time captured is the time of when the alert triggered.

Does anyone know how to capture the actual event time?

0 Karma

to4kawa
Ultra Champion
0 Karma

mteverest
New Member

Thanks, that worked! Is it possible to have the 'earliest=' and 'latest=' have -/+ 300 epoch (5 mins) from the event time?

0 Karma

to4kawa
Ultra Champion

in search, use eval

0 Karma
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...