Time range in rest query- Unable to get it down to...

Ra1n · ‎10-31-2022

Hi,

ive got the below query that im using to try and see when correlation searches have been edited:

| rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]")
| where disabled=0
| eval actions=split(actions, ",")
| rename "eai:acl.owner" as "Created By"
| rename author as "Updated By"
| rename updated as "Update time"
| fields title, search, description, "Update time", "Updated By", "Created By"

The issue that I'm having here is that no matter what i try, I am unable to narrow this down to the last hour for example and it always returns the last couple of months.

Any help on this would be great!

schose · ‎10-31-2022

Hi Ra1n,

the | rest command gives you the state of an endpoint - in this case savedsearches. Dit does not - what you might expect - gives you a history. That's why timebases searches are not working by default.

if you want an audit on your correlation searches, i would suggest implement a cicd workflow and have the app and/or savedsearches.conf file version controled... particularly if dealing in security environments.

best regards,

Andreas

Time range in rest query- Unable to get it down to last hour?

fields

other

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!