I created a workflow action of off some netflow logs. I want to pass the source IP from the netflow and pass it to another search what looks at authentication logs from another log source to see the user that most recently authenticated PRIOR to the event that I am triggering the workflow from. I can pass _time to the new search as latest=$_time$ but I cannot seem to set earliest to what I want (in this case 4 hours before the passed $_time$ variable. How I can I properly set earliest to 4 hours before $_time$ so the workflow search looks back 4 hours from the event I am pivoting off of?
OK. I now have the correct solution. It is based on this other post https://community.splunk.com/t5/Splunk-Search/Setting-earliest-and-latest/m-p/489703 Basically adding the following to the search string in my Workflow action set the correct relative earliest date when I pass in _time from the original search
latest=$_time$ [| makeresults | eval earliest=relative_time($_time$,"-4h@s")| format "(" "" "" "" "" ")"]
Well it looks like the solution I thought I had does not work. I was doing a head command on my results. That worked great when there was a recent prior event to pivot on. When there was no authentication event with a matching IP the search took forever, indicating that the search defined in the Workflow Action is not honoring the earliest Earliest Time in the Time range setting for the Workflow action. So the question still remains how to pass in a modified earliest time with a value that is an offset(like 4 hours ago) from the passed in $_time$ variable from the original search in a Workflow action.
OK. I now have the correct solution. It is based on this other post https://community.splunk.com/t5/Splunk-Search/Setting-earliest-and-latest/m-p/489703 Basically adding the following to the search string in my Workflow action set the correct relative earliest date when I pass in _time from the original search
latest=$_time$ [| makeresults | eval earliest=relative_time($_time$,"-4h@s")| format "(" "" "" "" "" ")"]
Compute the earliest time in the calling search as start=relative_time(_time, "-4h") and pass it to the new search as earliest=$start$.
As this is being triggered as a workflow action from the Event Menu for a specific Event, I am not working off of the original search, I am working off the Event Menu that only has the original fields in the logged event for that sourcetype. I tried creating a calculated field called fourhoursago for the sourcetype that was an eval of the value of _time minus 4 hours and tried passing it to the workflow action as earliest=$fourhoursago$ but it would not accept the calculated field. .
So, it looks like I can use a relative time setting ( -4h@s) in the earliest Earliest Time in the Time range setting for the Workflow action and pass in the $_time_$ as the latest value in my passed query and it works!