Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

See what time range users search

dtow1
Path Finder
‎05-01-2018 08:19 AM

I want to write a query to see what time range users are using in their searches. e.g. 90% of searches use the last 24 hours and 10% of searches use 1+ day ago for the time frame.

I am using the following search:

index="_audit" action=search | eval searchExecutedTime = strptime(timestamp,"%m/%d/%Y") | eval searchTimeFrameStart = strptime(apiStartTime,"%m/%d/%Y") | eval past = searchExecutedTime - searchTimeFrameStart | table past

When I run this search it just opens to the statistics tab with an empty table but the tab shows that there are 2000+ results.
alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-01-2018 08:45 AM

I just checked my audit log, and at least from what I see your timestamp format are completely off. timestamp and apiStartTime are in completely different formats, returning both fields as empty, resulting in past being empty, and therefore getting an empty table with 2000+ lines, because in all events the past field does not exist.

If you fix your timestamp parsings, everything should be fine 🙂

Check the strftime.org documentation for an overview.

View solution in original post

Reply
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-01-2018 08:45 AM

I just checked my audit log, and at least from what I see your timestamp format are completely off. timestamp and apiStartTime are in completely different formats, returning both fields as empty, resulting in past being empty, and therefore getting an empty table with 2000+ lines, because in all events the past field does not exist.

If you fix your timestamp parsings, everything should be fine 🙂

Check the strftime.org documentation for an overview.

Reply
Solved! Jump to solution

dtow1
Path Finder
‎05-01-2018 09:30 AM

Thank you very much. I think you found my problem (user error). I have been able to correct the timestamp extraction and that one is working great now. I am still unable to get results with the apiStartTime part though. Do you see anything wrong with it?

Here is what I am trying to match and what I used:

Sat Mar 31 00:00:00 2018
“%a %b %d %H:%M:%S %Y”
0 Karma
Reply
Solved! Jump to solution

dtow1
Path Finder
‎05-02-2018 08:02 AM

It needed single quotes included. "'%a...%Y'"

Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-02-2018 08:13 AM

Ah, damn, I saw that, but forget to post it here. Sorry!

0 Karma
Reply
Solved! Jump to solution

dtow1
Path Finder
‎05-02-2018 08:15 AM

No worries, that was the info I needed and it got me straightened out. I appreciate it!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-01-2018 08:36 AM

Give this a try

index="_audit" action=search search_id=* api_et=* api_lt=* | eval Past=tostring(round(api_lt-api_et),"duration") | stats count by Past
Reply
Solved! Jump to solution

dtow1
Path Finder
‎05-02-2018 08:03 AM

Thank you that was helpful.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...