Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

REST API "nearby events'

yemyslf
Path Finder
‎11-16-2018 12:04 PM

I'm trying to automate a search using the REST API to provide a list of events that occur x seconds before and after a specific event. Similar to the nearby events functionality but I won't be using the same search criteria.

Here's what I'm shooting for. I've got the first two steps down but I'm not sure how handle the time window. Any suggestions?

  1. Search using REST API for specific event_id
  2. Extract username and time from event
  3. Use extracted fields to perform search for events for specified user occurring x seconds before and after extracted time
0 Karma
Reply

yemyslf
Path Finder
‎11-19-2018 09:26 AM

I worked out my issue. The request to the API needed the latest_time and earliest_time values and I was providing an absolute time. I needed to use the time_format in my request to indicate the format I was using for my absolute time.

0 Karma
Reply

laurie_gellatly
Communicator
‎11-18-2018 01:42 PM

Not sure what piece you're stuck on. Maybe sharing what you've tried will assist with getting a better answer.
Have you looked at https://answers.splunk.com/answers/509911/what-is-the-correct-earliest-time-format-for-searc-1.html ?

...Laurie:{)

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...