Hi @sarit_s,

the search seems to be correct, please debut it using this search:

| rest /servicesNS/admin/search/alerts/fired_alerts/- 
| fields eai:acl.owner  savedsearch_name triggered_alert_count trigger_time_rendered
| eval 
   timestamp=strptime(trigger_time_rendered,"%Y-%m-%d %H:%M:%S %Z"),
   trigger_time_earliest=strptime($Time.earliest$,"%Y/%m/%d%H:%M:%S"),
   trigger_time_latest=strptime($Time.latest$,"%Y/%m/%d%H:%M:%S")

then, if there's still the error delete the last row in eval

| rest /servicesNS/admin/search/alerts/fired_alerts/- 
| fields eai:acl.owner  savedsearch_name triggered_alert_count trigger_time_rendered
| eval 
   timestamp=strptime(trigger_time_rendered,"%Y-%m-%d %H:%M:%S %Z"),
   trigger_time_earliest=strptime($Time.earliest$,"%Y/%m/%d%H:%M:%S")

then, if there's still the error delete the last row in eval

and if there's till the error, again the last row:

| rest /servicesNS/admin/search/alerts/fired_alerts/- 
| fields eai:acl.owner  savedsearch_name triggered_alert_count trigger_time_rendered
| eval 
   timestamp=strptime(trigger_time_rendered,"%Y-%m-%d %H:%M:%S %Z")

to identify what's the eval with error.

Ciao.

Giuseppe

Hello
only the first raw in the eval is running but then im getting error that the rest command should be the first one 

Hi @sarit_s,

the rest command must always be the first one,

then try to add, one by one the eval items to understand what's the error one, don't use, for the moment the fields command.

If the eval command doesn't have results, there's surely an error in the time format

please try this:

| rest /servicesNS/admin/search/alerts/fired_alerts/- 
| eval 
   timestamp=strptime(trigger_time_rendered,"%Y-%m-%d %H:%M:%S %Z"),
   trigger_time_earliest=strptime($Time.earliest$,"%Y/%m/%d%H:%M:%S"),
   trigger_time_latest=strptime($Time.latest$,"%Y/%m/%d%H:%M:%S")
| table trigger_time_rendered timestamp $Time.earliest$ trigger_time_earliest $Time.latest$ trigger_time_latest

Ciao.

Giuseppe

the only thing is working in the eval command is the timestamp configuration 

Hi @sarit_s,

ok, please, what's the result of this:

| rest /servicesNS/admin/search/alerts/fired_alerts/- 
| eval 
   timestamp=strptime(trigger_time_rendered,"%Y-%m-%d %H:%M:%S %Z"),
   trigger_time_earliest=$Time.earliest$,
   trigger_time_latest=$Time.latest$
| table trigger_time_rendered timestamp trigger_time_earliest trigger_time_latest

obviously in a dashboard panel.

Ciao.

Giuseppe

"The expression is malformed "

Hi @sarit_s,

could you share a screenshot of the search and the message?

Ciao.

Giuseppe

Hi @sarit_s,

in this panel, you aren't using the Time Picker, you have to click on "Use the Time Picker" and set the field.

Ciao.

Giuseppe

Hi @sarit_s,

Please this different approach

| rest /servicesNS/admin/search/alerts/fired_alerts/- 
| fields eai:acl.owner  savedsearch_name triggered_alert_count trigger_time_rendered
| addinfo
| eval 
   timestamp=strptime(trigger_time_rendered,"%Y-%m-%d %H:%M:%S %Z")
| search timestamp>info_min_time timestamp<info_max_time
| join savedsearch_name [
  | rest splunk_server=local count=0 /services/saved/searches 
  | rename title as savedsearch_name 
  | lookup mailingList.csv "action.email.to" OUTPUT teamName
  | table action.email.to savedsearch_name teamName]

using addinfo.

Ciao.

Giuseppe

no error but also no results 🙂

'info_min_time' came from addinfo ?

Hi @sarit_s,

yes, as you can read at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo

Ciao.

Giuseppe

ok .. so.. it returns no results

Hi @sarit_s,

please try this and tell me the result:

| rest /servicesNS/admin/search/alerts/fired_alerts/- 
| fields eai:acl.owner  savedsearch_name triggered_alert_count trigger_time_rendered
| addinfo
| eval 
   timestamp=strptime(trigger_time_rendered,"%Y-%m-%d %H:%M:%S %Z")
| table timestamp trigger_time_rendered info_min_time info_max_time

Ciao.

Giuseppe

Hi @sarit_s,

please try this:

| rest /servicesNS/admin/search/alerts/fired_alerts/- 
| fields eai:acl.owner  savedsearch_name triggered_alert_count trigger_time_rendered
| addinfo
| eval 
   timestamp=strptime(trigger_time_rendered,"%Y-%m-%d %H:%M:%S %Z")
| where timestamp>info_min_time AND timestamp<info_max_time
| table timestamp trigger_time_rendered info_min_time info_max_time

Ciao.

Giuseppe

well... there is no error but the time not changing if i'm changing it in the time picker 
it gives the earliest and latest time of the search itself but the user does not have a control of the period he wants to search

Hi @sarit_s,

sorry I misunderstood: in this case you cannot use the Time Picker.

Ciao.

Giuseppe