Splunk Search

How to search backwards from a event time in a workflow action?

ehoward
Path Finder

I created a workflow action of off some netflow logs.  I want to pass the source IP from the netflow and pass it to another search what looks at authentication logs from another log source to see the user that most recently authenticated PRIOR to the event that I am triggering the workflow from.  I can pass _time to the new search as latest=$_time$  but I cannot seem to set earliest to what I want (in this case 4 hours before the passed $_time$ variable.  How I can I properly set earliest to 4 hours before $_time$ so the workflow search looks back 4 hours from the event I am pivoting off of?

Labels (1)
Tags (1)
0 Karma
1 Solution

ehoward
Path Finder

OK.  I now have the correct solution.  It is based on this other post https://community.splunk.com/t5/Splunk-Search/Setting-earliest-and-latest/m-p/489703  Basically adding the following to the search string in my Workflow action set the correct relative earliest date when I pass in _time from the original search

latest=$_time$  [| makeresults | eval earliest=relative_time($_time$,"-4h@s")| format "(" "" "" "" "" ")"]

View solution in original post

ehoward
Path Finder

Well it looks like the solution I thought I had does not work.  I was doing a head command on my results.  That worked great when there was a recent prior event to pivot on.  When there was no authentication event with a matching IP the search took forever, indicating that the search defined in the Workflow Action is not honoring the earliest Earliest Time in the Time range setting for the Workflow action.  So the question still remains how to pass in a modified  earliest time with a value that is an offset(like 4 hours ago)  from the passed in $_time$ variable from the original search in a Workflow action.

0 Karma

ehoward
Path Finder

OK.  I now have the correct solution.  It is based on this other post https://community.splunk.com/t5/Splunk-Search/Setting-earliest-and-latest/m-p/489703  Basically adding the following to the search string in my Workflow action set the correct relative earliest date when I pass in _time from the original search

latest=$_time$  [| makeresults | eval earliest=relative_time($_time$,"-4h@s")| format "(" "" "" "" "" ")"]

richgalloway
SplunkTrust
SplunkTrust

Compute the earliest time in the calling search as start=relative_time(_time, "-4h") and pass it to the new search as earliest=$start$.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ehoward
Path Finder

As this is being triggered as a workflow action from the Event Menu for a specific Event, I am not working off of the original search, I am working off the Event Menu that only has the original fields in the logged event for that sourcetype.  I tried creating a calculated field called fourhoursago for the sourcetype that was an eval of the value of _time minus 4 hours and tried passing it to the workflow action as  earliest=$fourhoursago$  but it would not accept the calculated field.  .

0 Karma

ehoward
Path Finder

So, it looks like I can use a relative time  setting ( -4h@s) in the earliest Earliest Time in the Time range setting for the Workflow action and pass in the $_time_$ as the latest value in my passed query and it works!

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...