Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What timeframe do REST API searches use?

random_event
Explorer
‎04-18-2023 03:16 PM

I need to count the number of times an alert has triggered in a specific time window (say, last 24 hours).  I am trying to do that via  | rest   but noticed the counts remain constant despite changing the search time interval (60m, yesterday, last 7d, 15m, etc.).

What "time" does the | rest search or return results for?  I tried reading the docs on rest and and the user manual for REST API but nothing quite explains it.

Current SPL

 

 

| rest /services/alerts/fired_alerts splunk_server=local
| search author="[email protected]"
| table eai:acl.app eai:acl.owner id title triggered_alert_count 
| rename eai:acl.* as *, app as App, owner as Owner, id as Endpoint, title as Title, triggered_alert_count as "Count of Triggered Alerts"

 

 

 

Labels (2)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-19-2023 09:26 AM

@random_event - Most of the | rest command gives constant output regardless of time-range selected.

So if you want something specific, then you have to filter with | where condition. So look at the results there must be some field in it with time in it, on which you can apply the where condition to filter as you like.

 

I hope this helps, upvote if it does!!!

Reply

rohit1793
SplunkTrust
SplunkTrust
‎04-18-2023 07:30 PM

Hello @random_event ,

It pulls whatever you have at that endpoint for all time.for example if you want to know all the KO belongs to x person you can filter it and see all the enabled and disabled KO’s belongs to the x.

 

Rohit Joshi
Splunk Architect
Reply

random_event
Explorer
‎04-19-2023 07:18 AM

Okay, so REST will query all available data as you said for "all time".  How is the time determined?  Is it based on the retention of internal indexes (mine is set to 60d)?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...