Splunk Search

How to get searches with time range as All Time?

Taruchit
Contributor
Hello All,
 
I need to search for SPLs having time range as All time. I used the below SPL:-

 

 

index=_audit action=search provenance=* info=completed host IN (...)
 |table user, apiStartTime, apiEndTime, search_,et, search_lt, search
 |search apiStartTime='ZERO_TIME' OR apiEndTime='ZERO_TIME'
 |convert ctime(search_*)

 

 

I get results with 
apiStartTime as Empty
apiEndTime as 'ZERO_TIME'
search_et 07/31/2024 00:00:00
search_lt 08/29/2024 13:10:58
 
Thus, how do I interpret the above results and how do I modify the SPL to fetch correct results?
 
Thank you
Taruchit
Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

apiStartTime and apiEndTime are not set when info=completed but are set when info=granted - try something like this

index=_audit action=search provenance=* info=granted host IN (...)  (apiStartTime="ZERO_TIME" OR apiEndTime="ZERO_TIME")
| table user, apiStartTime, apiEndTime, search_et, search_lt, search
| convert ctime(search_*)

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Taruchit ,

at first don't use the search command when you cn put all the parameters in the main search.

Then I'd avoid to use all time in a search because you could have too many events, but define a useful timerange.

index=_audit action=search provenance=* info=completed host IN (...)  (apiStartTime="ZERO_TIME" OR apiEndTime="ZERO_TIME")
| table user, apiStartTime, apiEndTime, search_,et, search_lt, search
| convert ctime(search_*)

about the meaning of the results, they dependsa on the parameters you defined, probably with apiEndTime="ZERO_TIME" you don't have the apiStartTime field.

Analyze your search and modify it to have the best results for you.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...