×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
anands4
Engager
Member since: ‎09-17-2018
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎09-17-2018
View All

what does timeDiff_type field in es_notable_events...

by in Splunk Enterprise Security
‎09-17-2018 04:37 AM
‎09-17-2018 04:37 AM
I was trying to get report of top notable events created in splunk. Below is the search query for it: | es_notable_events | search timeDiff_type=current | stats sparkline(sum(count),30m) as sparkline,sum(count) as count by rule_name | sort 100 - count I need to know what is timeDiff_type=current means? If I put timeDiff_type=* , I am getting huge increase in count of data. Different question related to same 'es_notable_events' : The output for the query that I am putting is fixed. If I am changing the time-picker to past 1 week, Iam getting the same data. Same output is shown If I change the timings. Why the data is not changing ? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to