Splunk Search

Query with specific timestamp then pull the events - 5 minutes

Coal_55
Explorer

Hello Everyone.

I am pretty new with splunk. I'll try to be brief:

 

I know that a specific event happened at an exact time. So I want to know what happened on that machine at that time and in the last 5 minutes. This is to see what the machine was doing 5 minutes prior triggering the alert.

 

I got this query:    (where xxxxxxxxx  is the index, sourcetype and name of the machine I want to look)

***********************************************************************************************

xxxxxxxxx [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-5m") |table earliest latest | format "" "" "" "" "" "" ]

***********************************************************************************************

This works well if I manually select in the timepicker anything. For example I click on "last 15 minutes", the query is in reality done for the last 20 minutes (as I want as well the 5 minutes before the earliest time).

 

The problem comes when I try to type an exact time in the query itself. I am trying by putting  for example:  earliest=10/19/2018:00:00:00   but it does not work. I am even trying  earliest=-1d  and it just does not listen to it, it listens to whatever is chosen in the timepicker.

Maybe I am taking  the wrong approach with my initial query.  Has anybody been in this situation? Or anyone can shed some light here? 

Thank you very much in advance.

 

Labels (4)
Tags (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
xxxx
    [| makeresults 
    | eval earliest=relative_time(strptime("10/19/2018:00:00:00","%m/%d/%Y:%H:%M:%S"),"-5m@m")
    | eval latest=relative_time(earliest,"+5m@m")]

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
xxxx
    [| makeresults 
    | eval earliest=relative_time(strptime("10/19/2018:00:00:00","%m/%d/%Y:%H:%M:%S"),"-5m@m")
    | eval latest=relative_time(earliest,"+5m@m")]

Coal_55
Explorer

@ITWhisperer  This is it!  I owe you one, man 🙂

 

Thank you so much!

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried something like

xxxxxx 
    [| makeresults 
    | eval earliest=strptime("2021/04/23 12:00:00","%Y/%m/%d %H:%M:%S")
    | fields earliest]
0 Karma

aasabatini
Motivator

Hi @Coal_55 

are you try to use earliest and latest fields both?

example:

earliest=10/19/2018:00:00:00 latest=10/27/2018:00:00:00

 

to help you I suggest to read this documentation

https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/DateandTimeFunctions

 

https://docs.splunk.com/Documentation/Splunk/8.1.3/Search/Specifytimemodifiersinyoursearch

 

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

Coal_55
Explorer

@aasabatini   Hello!  If I specify earliest and latest in my query I get an error:

 

xxxmy query herexxx earliest=04/23/2021:09:00:00 latest=04/23/2021:09:00:00 [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-5m") |table earliest latest | format "" "" "" "" "" "" ]

Error in 'search' command: Unable to parse the search: Invalid time bounds in search: start=1619422260 > end=1619172000.

 

If I just put  

xxxmy query herexxx earliest=04/23/2021:09:00:00 latest=04/23/2021:09:00:00

 

It does look for events exactly at April 23 2021 9 AM.     But I need to look for that time AND minus 5 minutes.

 

Any clue on how to do it?

 

Thanks!

0 Karma

aasabatini
Motivator

Hi @Coal_55 

try this search:

... your search...  [| makeresults 
| eval earliest="04/23/2021:08:51:00"
| eval earliest=strptime(earliest,"%m/%d/%Y:%T")
| eval latest=relative_time(earliest,"+10m")]
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

Coal_55
Explorer

Hello @aasabatini   

 

Thanks for the help.  This query is useful to search for the time specified + 10 min.   To achieve what I needed, I had to apply the logic @ITWhisperer  did on his reply.  But actually your query is useful for me also. So thank you very much! 🙂

0 Karma

aasabatini
Motivator

Hi @Coal_55 

happy to help, if you appreciate my support please vote with a 1 karma 😁

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...