Splunk Search

Query with specific timestamp then pull the events - 5 minutes

Coal_55
Explorer

Hello Everyone.

I am pretty new with splunk. I'll try to be brief:

 

I know that a specific event happened at an exact time. So I want to know what happened on that machine at that time and in the last 5 minutes. This is to see what the machine was doing 5 minutes prior triggering the alert.

 

I got this query:    (where xxxxxxxxx  is the index, sourcetype and name of the machine I want to look)

***********************************************************************************************

xxxxxxxxx [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-5m") |table earliest latest | format "" "" "" "" "" "" ]

***********************************************************************************************

This works well if I manually select in the timepicker anything. For example I click on "last 15 minutes", the query is in reality done for the last 20 minutes (as I want as well the 5 minutes before the earliest time).

 

The problem comes when I try to type an exact time in the query itself. I am trying by putting  for example:  earliest=10/19/2018:00:00:00   but it does not work. I am even trying  earliest=-1d  and it just does not listen to it, it listens to whatever is chosen in the timepicker.

Maybe I am taking  the wrong approach with my initial query.  Has anybody been in this situation? Or anyone can shed some light here? 

Thank you very much in advance.

 

Labels (4)
Tags (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
xxxx
    [| makeresults 
    | eval earliest=relative_time(strptime("10/19/2018:00:00:00","%m/%d/%Y:%H:%M:%S"),"-5m@m")
    | eval latest=relative_time(earliest,"+5m@m")]

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
xxxx
    [| makeresults 
    | eval earliest=relative_time(strptime("10/19/2018:00:00:00","%m/%d/%Y:%H:%M:%S"),"-5m@m")
    | eval latest=relative_time(earliest,"+5m@m")]

Coal_55
Explorer

@ITWhisperer  This is it!  I owe you one, man 🙂

 

Thank you so much!

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried something like

xxxxxx 
    [| makeresults 
    | eval earliest=strptime("2021/04/23 12:00:00","%Y/%m/%d %H:%M:%S")
    | fields earliest]
0 Karma

aasabatini
Motivator

Hi @Coal_55 

are you try to use earliest and latest fields both?

example:

earliest=10/19/2018:00:00:00 latest=10/27/2018:00:00:00

 

to help you I suggest to read this documentation

https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/DateandTimeFunctions

 

https://docs.splunk.com/Documentation/Splunk/8.1.3/Search/Specifytimemodifiersinyoursearch

 

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

Coal_55
Explorer

@aasabatini   Hello!  If I specify earliest and latest in my query I get an error:

 

xxxmy query herexxx earliest=04/23/2021:09:00:00 latest=04/23/2021:09:00:00 [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-5m") |table earliest latest | format "" "" "" "" "" "" ]

Error in 'search' command: Unable to parse the search: Invalid time bounds in search: start=1619422260 > end=1619172000.

 

If I just put  

xxxmy query herexxx earliest=04/23/2021:09:00:00 latest=04/23/2021:09:00:00

 

It does look for events exactly at April 23 2021 9 AM.     But I need to look for that time AND minus 5 minutes.

 

Any clue on how to do it?

 

Thanks!

0 Karma

aasabatini
Motivator

Hi @Coal_55 

try this search:

... your search...  [| makeresults 
| eval earliest="04/23/2021:08:51:00"
| eval earliest=strptime(earliest,"%m/%d/%Y:%T")
| eval latest=relative_time(earliest,"+10m")]
“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

Coal_55
Explorer

Hello @aasabatini   

 

Thanks for the help.  This query is useful to search for the time specified + 10 min.   To achieve what I needed, I had to apply the logic @ITWhisperer  did on his reply.  But actually your query is useful for me also. So thank you very much! 🙂

0 Karma

aasabatini
Motivator

Hi @Coal_55 

happy to help, if you appreciate my support please vote with a 1 karma 😁

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...