I would like to be able to provide a timestamp and have splunk return the log nearest/before the timestamp and nearest/after the timestamp, essentially bookending the provided timestamp.
The use case is that a report is given to me with an "event" occurring at a give timestamp. I want to search and find the authentication "start" and authentication "stop" messages for the device/user associated with the event that encompass the timestamp.
Ideas?
Have a look at the localize
command. http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Localize
If it's not so much a matter of getting events based on time, but rather the IP address, it sounds like a subsearch could be more useful? http://docs.splunk.com/Documentation/Splunk/5.0.2/Tutorial/Useasubsearch
Looked over localize, but I'm not sure how to get what I need. Use case is I'm given an IP Address and a timestamp for an event. I then have user logon/logoff logs that have the IP address. So, with the given information, I need to find the associated logon and logoff log that bookmarks the provided timestamp for that IP.
Does this make sense? How can I get this, using localize+map commands or any other means?