Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

See what time range users search

dtow1
Path Finder
‎05-01-2018 08:19 AM

I want to write a query to see what time range users are using in their searches. e.g. 90% of searches use the last 24 hours and 10% of searches use 1+ day ago for the time frame.

I am using the following search:

index="_audit" action=search | eval searchExecutedTime = strptime(timestamp,"%m/%d/%Y") | eval searchTimeFrameStart = strptime(apiStartTime,"%m/%d/%Y") | eval past = searchExecutedTime - searchTimeFrameStart | table past

When I run this search it just opens to the statistics tab with an empty table but the tab shows that there are 2000+ results.
alt text

Preview file
194 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-01-2018 08:45 AM

I just checked my audit log, and at least from what I see your timestamp format are completely off. timestamp and apiStartTime are in completely different formats, returning both fields as empty, resulting in past being empty, and therefore getting an empty table with 2000+ lines, because in all events the past field does not exist.

If you fix your timestamp parsings, everything should be fine 🙂

Check the strftime.org documentation for an overview.

View solution in original post

Reply
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-01-2018 08:45 AM

I just checked my audit log, and at least from what I see your timestamp format are completely off. timestamp and apiStartTime are in completely different formats, returning both fields as empty, resulting in past being empty, and therefore getting an empty table with 2000+ lines, because in all events the past field does not exist.

If you fix your timestamp parsings, everything should be fine 🙂

Check the strftime.org documentation for an overview.

Reply
Solved! Jump to solution

dtow1
Path Finder
‎05-01-2018 09:30 AM

Thank you very much. I think you found my problem (user error). I have been able to correct the timestamp extraction and that one is working great now. I am still unable to get results with the apiStartTime part though. Do you see anything wrong with it?

Here is what I am trying to match and what I used:

Sat Mar 31 00:00:00 2018
“%a %b %d %H:%M:%S %Y”
0 Karma
Reply
Solved! Jump to solution

dtow1
Path Finder
‎05-02-2018 08:02 AM

It needed single quotes included. "'%a...%Y'"

Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-02-2018 08:13 AM

Ah, damn, I saw that, but forget to post it here. Sorry!

0 Karma
Reply
Solved! Jump to solution

dtow1
Path Finder
‎05-02-2018 08:15 AM

No worries, that was the info I needed and it got me straightened out. I appreciate it!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-01-2018 08:36 AM

Give this a try

index="_audit" action=search search_id=* api_et=* api_lt=* | eval Past=tostring(round(api_lt-api_et),"duration") | stats count by Past
Reply
Solved! Jump to solution

dtow1
Path Finder
‎05-02-2018 08:03 AM

Thank you that was helpful.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...