Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get searches with time range as All Time?

Taruchit
Contributor
‎08-29-2024 11:06 AM
Hello All,
 
I need to search for SPLs having time range as All time. I used the below SPL:-

 

 

index=_audit action=search provenance=* info=completed host IN (...)
 |table user, apiStartTime, apiEndTime, search_,et, search_lt, search
 |search apiStartTime='ZERO_TIME' OR apiEndTime='ZERO_TIME'
 |convert ctime(search_*)

 

 

I get results with 
apiStartTime as Empty
apiEndTime as 'ZERO_TIME'
search_et 07/31/2024 00:00:00
search_lt 08/29/2024 13:10:58
 
Thus, how do I interpret the above results and how do I modify the SPL to fetch correct results?
 
Thank you
Taruchit
Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-30-2024 12:37 AM

apiStartTime and apiEndTime are not set when info=completed but are set when info=granted - try something like this

index=_audit action=search provenance=* info=granted host IN (...)  (apiStartTime="ZERO_TIME" OR apiEndTime="ZERO_TIME")
| table user, apiStartTime, apiEndTime, search_et, search_lt, search
| convert ctime(search_*)

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-29-2024 11:54 PM

Hi @Taruchit ,

at first don't use the search command when you cn put all the parameters in the main search.

Then I'd avoid to use all time in a search because you could have too many events, but define a useful timerange.

index=_audit action=search provenance=* info=completed host IN (...)  (apiStartTime="ZERO_TIME" OR apiEndTime="ZERO_TIME")
| table user, apiStartTime, apiEndTime, search_,et, search_lt, search
| convert ctime(search_*)

about the meaning of the results, they dependsa on the parameters you defined, probably with apiEndTime="ZERO_TIME" you don't have the apiStartTime field.

Analyze your search and modify it to have the best results for you.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...