Splunk Search

How to search backwards from a event time in a workflow action?

ehoward
Path Finder

I created a workflow action of off some netflow logs.  I want to pass the source IP from the netflow and pass it to another search what looks at authentication logs from another log source to see the user that most recently authenticated PRIOR to the event that I am triggering the workflow from.  I can pass _time to the new search as latest=$_time$  but I cannot seem to set earliest to what I want (in this case 4 hours before the passed $_time$ variable.  How I can I properly set earliest to 4 hours before $_time$ so the workflow search looks back 4 hours from the event I am pivoting off of?

Labels (1)
Tags (1)
0 Karma
1 Solution

ehoward
Path Finder

OK.  I now have the correct solution.  It is based on this other post https://community.splunk.com/t5/Splunk-Search/Setting-earliest-and-latest/m-p/489703  Basically adding the following to the search string in my Workflow action set the correct relative earliest date when I pass in _time from the original search

latest=$_time$  [| makeresults | eval earliest=relative_time($_time$,"-4h@s")| format "(" "" "" "" "" ")"]

View solution in original post

ehoward
Path Finder

Well it looks like the solution I thought I had does not work.  I was doing a head command on my results.  That worked great when there was a recent prior event to pivot on.  When there was no authentication event with a matching IP the search took forever, indicating that the search defined in the Workflow Action is not honoring the earliest Earliest Time in the Time range setting for the Workflow action.  So the question still remains how to pass in a modified  earliest time with a value that is an offset(like 4 hours ago)  from the passed in $_time$ variable from the original search in a Workflow action.

0 Karma

ehoward
Path Finder

OK.  I now have the correct solution.  It is based on this other post https://community.splunk.com/t5/Splunk-Search/Setting-earliest-and-latest/m-p/489703  Basically adding the following to the search string in my Workflow action set the correct relative earliest date when I pass in _time from the original search

latest=$_time$  [| makeresults | eval earliest=relative_time($_time$,"-4h@s")| format "(" "" "" "" "" ")"]

richgalloway
SplunkTrust
SplunkTrust

Compute the earliest time in the calling search as start=relative_time(_time, "-4h") and pass it to the new search as earliest=$start$.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ehoward
Path Finder

As this is being triggered as a workflow action from the Event Menu for a specific Event, I am not working off of the original search, I am working off the Event Menu that only has the original fields in the logged event for that sourcetype.  I tried creating a calculated field called fourhoursago for the sourcetype that was an eval of the value of _time minus 4 hours and tried passing it to the workflow action as  earliest=$fourhoursago$  but it would not accept the calculated field.  .

0 Karma

ehoward
Path Finder

So, it looks like I can use a relative time  setting ( -4h@s) in the earliest Earliest Time in the Time range setting for the Workflow action and pass in the $_time_$ as the latest value in my passed query and it works!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...