Splunk Enterprise Security

How to search by time using |rest command

Explorer

I'm searching using the | rest command from search bar. Attempting to find saved searches that have been modified in the last x number of days. In the below search there is a field called "updated" which I'm attempting to convert to epoch time and then search back x number of days looking for any search that matches the timepicker. No search string that I've tried has been able to pick the time, so to speak.

My base search is:
| rest splunkserver=local count=0 /services/saved/searches
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]")
| rename eai:acl.app as app, eai:acl
owner as owner, title as csearchname, action.correlationsearch.label as csearchlabel, action.notable.param.securitydomain as securitydomain
| eval t=strptime(updated, "%Y-%m-%dT%H:%M:%S")
| where t < relativetime(now(),"-30d@d")
| table csearch
label updated t

Thanks in advance for the help and guidance.

0 Karma
1 Solution

Influencer

How I would solve this, is I would use a subsearch, with addinfo to collect the timepicker details, and generate a where condition that would be inserted in the parent search...

| rest splunk_server=local count=0 /servicesNS/-/-/saved/searches f=updated f=eai:acl f=action.correlationsearch.label f=action.notable.param.security_domain search=action.correlationsearch.enabled=true 
| fields author eai:acl.app eai:acl.owner title action.* updated 
| rename eai:acl.* -> * title -> csearch_name action.correlationsearch.label -> csearch_label action.notable.param.* -> *
| eval t=strptime(updated, "%Y-%m-%dT%H:%M:%S%z")
| where 
    [ makeresults 
    | addinfo
    | eval search=" t >= ". info_min_time. if(info_max_time=="+Infinity",""," AND t <= ".info_max_time) ]

(I developed this on a 7.2.4.1 instance, with ES 5.2.0 )

Some variations with your search... first with the rest command I'm using the Namespaced version of the URL to search across all app user contexts instead of just the current app-user context. and I'm using the f and search parameters to limit the fields and results that I need from saved searches GET endpoint here. (Special props to @cmerriman who taught me about the f parameter)

But just like your search I'm cutting down the fields I need and renaming the fields to be nice names, and using eval to parse updated time back to epoch format...

Now for the where statement... here we're using a subsearch to build the where condition, addinfo provides us the min and max time for the search (in epoch time) selected by the time picker, and using that we are able to filter the epoch time based on the time picker. ... when All time is selected, infomintime = 0 and infomaxtime = "+Infinity" hence the if statement in building the search field which is then inserted into the where clause.

It's possibly obvious, but I should note, that this is of course only looking at the LAST time a particular search was modified, the data about every time a particular search is modified is not in fact stored in the metadata and thus not retrievable by this endpoint.

View solution in original post

Influencer

How I would solve this, is I would use a subsearch, with addinfo to collect the timepicker details, and generate a where condition that would be inserted in the parent search...

| rest splunk_server=local count=0 /servicesNS/-/-/saved/searches f=updated f=eai:acl f=action.correlationsearch.label f=action.notable.param.security_domain search=action.correlationsearch.enabled=true 
| fields author eai:acl.app eai:acl.owner title action.* updated 
| rename eai:acl.* -> * title -> csearch_name action.correlationsearch.label -> csearch_label action.notable.param.* -> *
| eval t=strptime(updated, "%Y-%m-%dT%H:%M:%S%z")
| where 
    [ makeresults 
    | addinfo
    | eval search=" t >= ". info_min_time. if(info_max_time=="+Infinity",""," AND t <= ".info_max_time) ]

(I developed this on a 7.2.4.1 instance, with ES 5.2.0 )

Some variations with your search... first with the rest command I'm using the Namespaced version of the URL to search across all app user contexts instead of just the current app-user context. and I'm using the f and search parameters to limit the fields and results that I need from saved searches GET endpoint here. (Special props to @cmerriman who taught me about the f parameter)

But just like your search I'm cutting down the fields I need and renaming the fields to be nice names, and using eval to parse updated time back to epoch format...

Now for the where statement... here we're using a subsearch to build the where condition, addinfo provides us the min and max time for the search (in epoch time) selected by the time picker, and using that we are able to filter the epoch time based on the time picker. ... when All time is selected, infomintime = 0 and infomaxtime = "+Infinity" hence the if statement in building the search field which is then inserted into the where clause.

It's possibly obvious, but I should note, that this is of course only looking at the LAST time a particular search was modified, the data about every time a particular search is modified is not in fact stored in the metadata and thus not retrievable by this endpoint.

View solution in original post