Solved: How to search by time using |rest command

wtaylor149 · ‎03-30-2019

I'm searching using the | rest command from search bar. Attempting to find saved searches that have been modified in the last x number of days. In the below search there is a field called "updated" which I'm attempting to convert to epoch time and then search back x number of days looking for any search that matches the timepicker. No search string that I've tried has been able to pick the time, so to speak.

My base search is:
| rest splunk_server=local count=0 /services/saved/searches
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]")
| rename eai:acl.app as app, eai:acl_owner as owner, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain
| eval t=strptime(updated, "%Y-%m-%dT%H:%M:%S")
| where t < relative_time(now(),"-30d@d")
| table csearch_label updated t

Thanks in advance for the help and guidance.

acharlieh · ‎03-30-2019

How I would solve this, is I would use a subsearch, with addinfo to collect the timepicker details, and generate a where condition that would be inserted in the parent search...

| rest splunk_server=local count=0 /servicesNS/-/-/saved/searches f=updated f=eai:acl f=action.correlationsearch.label f=action.notable.param.security_domain search=action.correlationsearch.enabled=true 
| fields author eai:acl.app eai:acl.owner title action.* updated 
| rename eai:acl.* -> * title -> csearch_name action.correlationsearch.label -> csearch_label action.notable.param.* -> *
| eval t=strptime(updated, "%Y-%m-%dT%H:%M:%S%z")
| where 
    [ makeresults 
    | addinfo
    | eval search=" t >= ". info_min_time. if(info_max_time=="+Infinity",""," AND t <= ".info_max_time) ]

(I developed this on a 7.2.4.1 instance, with ES 5.2.0 )

Some variations with your search... first with the rest command I'm using the Namespaced version of the URL to search across all app user contexts instead of just the current app-user context. and I'm using the f and search parameters to limit the fields and results that I need from saved searches GET endpoint here. (Special props to @cmerriman who taught me about the f parameter)

But just like your search I'm cutting down the fields I need and renaming the fields to be nice names, and using eval to parse updated time back to epoch format...

Now for the where statement... here we're using a subsearch to build the where condition, addinfo provides us the min and max time for the search (in epoch time) selected by the time picker, and using that we are able to filter the epoch time based on the time picker. ... when All time is selected, info_min_time = 0 and info_max_time = "+Infinity" hence the if statement in building the search field which is then inserted into the where clause.

It's possibly obvious, but I should note, that this is of course only looking at the LAST time a particular search was modified, the data about every time a particular search is modified is not in fact stored in the metadata and thus not retrievable by this endpoint.

View solution in original post

acharlieh · ‎03-30-2019

How I would solve this, is I would use a subsearch, with addinfo to collect the timepicker details, and generate a where condition that would be inserted in the parent search...

| rest splunk_server=local count=0 /servicesNS/-/-/saved/searches f=updated f=eai:acl f=action.correlationsearch.label f=action.notable.param.security_domain search=action.correlationsearch.enabled=true 
| fields author eai:acl.app eai:acl.owner title action.* updated 
| rename eai:acl.* -> * title -> csearch_name action.correlationsearch.label -> csearch_label action.notable.param.* -> *
| eval t=strptime(updated, "%Y-%m-%dT%H:%M:%S%z")
| where 
    [ makeresults 
    | addinfo
    | eval search=" t >= ". info_min_time. if(info_max_time=="+Infinity",""," AND t <= ".info_max_time) ]

(I developed this on a 7.2.4.1 instance, with ES 5.2.0 )

Some variations with your search... first with the rest command I'm using the Namespaced version of the URL to search across all app user contexts instead of just the current app-user context. and I'm using the f and search parameters to limit the fields and results that I need from saved searches GET endpoint here. (Special props to @cmerriman who taught me about the f parameter)

But just like your search I'm cutting down the fields I need and renaming the fields to be nice names, and using eval to parse updated time back to epoch format...

Now for the where statement... here we're using a subsearch to build the where condition, addinfo provides us the min and max time for the search (in epoch time) selected by the time picker, and using that we are able to filter the epoch time based on the time picker. ... when All time is selected, info_min_time = 0 and info_max_time = "+Infinity" hence the if statement in building the search field which is then inserted into the where clause.

It's possibly obvious, but I should note, that this is of course only looking at the LAST time a particular search was modified, the data about every time a particular search is modified is not in fact stored in the metadata and thus not retrievable by this endpoint.

tmontney · ‎07-15-2021

Strptime is nearly correct: strptime(updated, "%Y-%m-%dT%H:%M:%S.%f-%z")

For me, it was missing the milliseconds and dash between timezone offset.

How to search by time using |rest command

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!