Splunk Search

How to specify time with rest command?

sarit_s
Communicator

Hello,
I have a rest query with a field that contain date and time

Is it possible to limit the search by this field so it will search for the last 15 minutes ?

 

thanks

Labels (1)
Tags (2)
0 Karma

gcusello
Esteemed Legend

Hi @sarit_s,

the rest command extract the data, then you can filter this data using the fields containing time and data as all the other fields.

Ciao.

Giuseppe

0 Karma

sarit_s
Communicator

yes, I have this field

but since with rest command the time Peaker is not working i need to get it from the query

something like earliest and latest based on specific field

0 Karma

gcusello
Esteemed Legend

Hi @sarit_s,

you cannot use the time picker in the usual way: you have to pass the tokens to the search creating the filters, e.g. if the Time Picker token is called "Time" and the fields containing date (09/28/2022) and time (11:11.22) are "date" and "time"

| rest .....
| eval timestamp=strptime(date.time,"%m/%d/%Y%H:%M:%S")
| search timestamp>$Time.earliest$ timestamp<$Time.latest$

Ciao.

Giuseppe

 

0 Karma

sarit_s
Communicator

thanks

how can i set the tokens ?

0 Karma

gcusello
Esteemed Legend

Hi @sarit_s,

you can set the tokens using the Time Picker or another input.

Ciao.

Giuseppe

0 Karma

sarit_s
Communicator

this is my query :

|rest /servicesNS/admin/search/alerts/fired_alerts/- 
|fields eai:acl.owner  savedsearch_name triggered_alert_count trigger_time_rendered

| join savedsearch_name [
  | rest splunk_server=local count=0 /services/saved/searches 
  | rename title as savedsearch_name 

 | lookup mailingList.csv "action.email.to" OUTPUT teamName


  | table action.email.to savedsearch_name teamName]

 

trigger_time_rendere looks like : 2022-09-28 09:20:31 UTC

when inserting this part : 

| eval timestamp=strptime(date.time,"%Y/%m/%d%H:%M:%S")
| search timestamp>$trigger_time_rendere.earliest$ timestamp<$trigger_time_rendere.latest$

im getting no result at all

0 Karma

gcusello
Esteemed Legend

Hi @sarit_s,

to compare timestamps, you have to convert all of them in epochtime:

| eval 
   timestamp=strptime(date.time,"%Y/%m/%d%H:%M:%S"),
   trigger_time_earliest=strptime($trigger_time_rendere.earliest$,"%Y/%m/%d%H:%M:%S"),
   trigger_time_latest=strptime($trigger_time_rendere.latest$,"%Y/%m/%d%H:%M:%S")

| search timestamp>trigger_time_earliest timestamp<trigger_time_latest

Ciao.

Giuseppe

0 Karma

sarit_s
Communicator

still no results 😞

0 Karma

gcusello
Esteemed Legend

Hi @sarit_s,

when I said "date.time" I meant to create a timestamp with the two fields that you said to have, but what are the field names of date and time that you said to have in the rest outputs?

You have to put them in the eval command to create the timestamp field to use in the filter.

Ciao.

Giuseppe

0 Karma

sarit_s
Communicator

i have 1 field with date and time

trigger_time_rendered

 

|rest /servicesNS/admin/search/alerts/fired_alerts/- 
|fields eai:acl.owner  savedsearch_name triggered_alert_count trigger_time_rendered
| eval 
   timestamp=strptime(trigger_time_renderede,"%Y/%m/%d%H:%M:%S"),
   trigger_time_earliest=strptime($trigger_time_rendered.earliest$,"%Y/%m/%d%H:%M:%S"),
   trigger_time_latest=strptime($trigger_time_rendered.latest$,"%Y/%m/%d%H:%M:%S")

| search timestamp>trigger_time_earliest timestamp<trigger_time_latest
| join savedsearch_name [
  | rest splunk_server=local count=0 /services/saved/searches 
  | rename title as savedsearch_name 

 | lookup mailingList.csv "action.email.to" OUTPUT teamName


  | table action.email.to savedsearch_name teamName]

 

the fact that it contains also the TZ related ? maybe it should be also part of the convert ?

0 Karma

gcusello
Esteemed Legend

Hi @sarit_s,

please try this:

| eval 
   trigger_time_rendere=strptime(trigger_time_rendere,"%Y/%m/%d%H:%M:%S"),
| search trigger_time_rendere>$Time.earliest$ trigger_time_rendere<$Time.latest$

if it doesn't run, please tell me the result of:

| eval 
   trigger_time_rendere=strptime(trigger_time_rendere,"%Y/%m/%d%H:%M:%S"),
| table trigger_time_rendere $Time.earliest$ $Time.latest$

Ciao.

Giuseppe

0 Karma

sarit_s
Communicator

no results for both

what is it 'Time' ? I don't have such field

0 Karma

gcusello
Esteemed Legend

Hi @sarit_s,

as I said in my first answer "Time" is the Time Picker Token.

Ciao.

Giuseppe

0 Karma

sarit_s
Communicator

ok.. so ive added the token and still nothing

 

|rest /servicesNS/admin/search/alerts/fired_alerts/- 
|fields eai:acl.owner  savedsearch_name triggered_alert_count trigger_time_rendered
| eval 
   timestamp=strptime(trigger_time_rendered,"%Y/%m/%d%H:%M:%S"),
   trigger_time_earliest=strptime($last_15_mins.earliest$,"%Y/%m/%d%H:%M:%S"),
   trigger_time_latest=strptime($last_15_mins.latest$,"%Y/%m/%d%H:%M:%S")

| search timestamp>trigger_time_earliest timestamp<trigger_time_latest
| join savedsearch_name [
  | rest splunk_server=local count=0 /services/saved/searches 
  | rename title as savedsearch_name 

 | lookup mailingList.csv "action.email.to" OUTPUT teamName


  | table action.email.to savedsearch_name teamName]
0 Karma

gcusello
Esteemed Legend

Hi @sarit_s,

if the forma of trigger_time_rendere is like : 2022-09-28 09:20:31 UTC

the eval isn't correct, please replace this:

| rest /servicesNS/admin/search/alerts/fired_alerts/- 
| fields eai:acl.owner  savedsearch_name triggered_alert_count trigger_time_rendered
| eval 
   timestamp=strptime(trigger_time_rendered,"%Y-%m-%d %H:%M:%S %Z"),
   trigger_time_earliest=strptime($last_15_mins.earliest$,"%Y/%m/%d%H:%M:%S"),
   trigger_time_latest=strptime($last_15_mins.latest$,"%Y/%m/%d%H:%M:%S")

| search timestamp>trigger_time_earliest timestamp<trigger_time_latest
| join savedsearch_name [
  | rest splunk_server=local count=0 /services/saved/searches 
  | rename title as savedsearch_name 
  | lookup mailingList.csv "action.email.to" OUTPUT teamName
  | table action.email.to savedsearch_name teamName]

Ciao.

Giuseppe

0 Karma

sarit_s
Communicator

still nothing 😞

0 Karma

gcusello
Esteemed Legend

Hi @sarit_s,

please execute this and tell me the results:

| rest /servicesNS/admin/search/alerts/fired_alerts/- 
| fields eai:acl.owner  savedsearch_name triggered_alert_count trigger_time_rendered
| eval 
   timestamp=strptime(trigger_time_rendered,"%Y-%m-%d %H:%M:%S %Z"),
   trigger_time_earliest=strptime($last_15_mins.earliest$,"%Y/%m/%d%H:%M:%S"),
   trigger_time_latest=strptime($last_15_mins.latest$,"%Y/%m/%d%H:%M:%S")
| table timestamp trigger_time_rendered trigger_time_earliest $last_15_mins.earliest$ trigger_time_latest $last_15_mins.latest$

check if you have all the values and if the format is correct.

Ciao.

Giuseppe

0 Karma

sarit_s
Communicator

only timestamp and 

trigger_time_rendered

has values, all the rest are empty

maybe im getting the wrong token, i took it from 
settings -->user interface » Time ranges

0 Karma

gcusello
Esteemed Legend

Hi @sarit_s,

no, you have to take the token in your dashboard, in the Time Picker.

The token name is setted by you.

Ciao.

Giuseppe

0 Karma

sarit_s
Communicator

I don't have any dashboard, it is a simple query 

0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...