I am plotting a timechart based on a datetime field (timestamp) in the event.
The search looks like:
* "logname=customlog"
| fields host, SourceName, EventCode, EventType, Type, ComputerName, TaskCategory, OpCode, RecordNumber, Keywords, Message
| spath input=Message output=EventMessage path=Message
| spath input=Message output=event_id path=event_id
| spath input=Message output=timestamp path=timestamp
| eval NewTime=strptime(timestamp,"%Y-%m-%d %H:%M:%S")
| eval _time=NewTime
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
| timechart count by event_id
Events in my data are between Feb'2011 and Mar'2011. This works fine for "All Time" but when I set time range between anything less than the time when I posted the data I get no results. Seems like _time is not getting overridden by the search as intended.
Can you someone please help?
Can you try changing your where clause to the following
| where _time>=info_min_time AND _time<=if(info_max_time=="+Infinity", now(), info_max_time)
Let me know if this works. If not, please post a sample of your data.
Cheers.
It is still the same. My sample event is like following:
11/05/2019 01:06:16 PM
LogName=CustomLog
SourceName=WindowsEventSource
EventCode=256
EventType=4
Type=Information
TaskCategory=Network Events
OpCode=None
RecordNumber=20445
Keywords=Classic
Message={
"country" : "Central African Republic",
"description" : "successfully completed.",
"deviceId" : "38",
"event_id" : "41",
"id" : "9999",
"logtype" : "Info",
"msgqnum" : "0",
"severity" : "High",
"source" : "mySource",
"system_state" : "S4/S5",
"timestamp" : "2011-02-19 15:22:23",
"timestamp_accuracy" : "Accurate"
}
As you can see the event has date time of event posting: 11/05/2019 01:06:16 PM and there is datetime in the json field Message["timestamp"] I want all time range comparisons to be done wrt Message["timestamp"] and totally ignore the event posting datetime. is it possible?
Like this:
index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND "logname=customlog" earliest=0 latest=now
| spath input=Message output=EventMessage path=Message
| spath input=Message output=event_id path=event_id
| spath input=Message output=timestamp path=timestamp
| eval _time=strptime(timestamp,"%Y-%m-%d %H:%M:%S")
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
| timechart count BY event_id
Same result. The date range gives no result. The date range still works on the time when I posted the data, if the time of posting is within the bounds of posting datetime then I see all the results. timestamp in my posted data is from Feb 2011 to Mar 2011 and I posted data yesterday so any date range before yesterday as end time gives me 0 results
Did you post my answer exactly? The key part is the earliest=0 latest=now
. You must have that part.
Adding
earliest=0 latest=nowalways returns all the events but that is not what I want. I want the date range filter to be applied against the json in the event (Message["timestamp"] in the sample event below):
11/05/2019 01:06:16 PM
LogName=CustomLog
SourceName=WindowsEventSource
EventCode=256
EventType=4
Type=Information
TaskCategory=Network Events
OpCode=None
RecordNumber=20445
Keywords=Classic
Message={
"country" : "Central African Republic",
"description" : "successfully completed.",
"deviceId" : "38",
"event_id" : "41",
"id" : "9999",
"logtype" : "Info",
"msgqnum" : "0",
"severity" : "High",
"source" : "mySource",
"system_state" : "S4/S5",
"timestamp" : "2011-02-19 15:22:23",
"timestamp_accuracy" : "Accurate"
}