Hi all,
I am trying to add time modifiers to "from" command ,from within the query, with not much of a luck.
An example for the command is:
| from datamodel:"Authentication"."Failed_Authentication" | search dest="Host1" app="win:local"
Can anyone help me figuring this out ?
This answer shows you how to use a macro
in the same way that you are using from datamodel
which means that you can use earliest
and latest
in-line in the normal way (UpVotes
appreciated):
https://answers.splunk.com/answers/716936/splunk-server-field-is-not-available-when-we-searc.html
Thanks for your response.
It is not what i was looking for exactly.
The problem is only with "from" command. tstats command can be used with time modifiers.
Also i have splunk cloud so it is a bit of a problem to add the macros to the file.