Does anyone know why I am getting the following error when running the following search to find surrounding events:
* [ search sourcetype=fireeye OR sourcetype=imap | eval starttimeu=_time | eval endtimeu=_time+300 | fields + starttimeu endtimeu ]
(Seen on Splunk search head version 4.1.5)
Because the implicit format
of the subsearch inserts the AND
keyword, making the result of your subsearch ((starttimeu="1234567590" AND endtimeu="1234567890"))
. Splunk syntax doesn't like the AND
with time quantifiers. I personally consider this a bug.
Also, starttimeu
and endtimeu
have been deprecated for some time now. Please use earliest
and latest
instead.
The fix/workaround is to use and explicit format
that doesn't insert the AND
(which isn't necessary anyway):
* [ search sourcetype=fireeye OR sourcetype=imap | eval earliest=_time | eval latest=_time+300 | fields earliest latest | format "(" "(" " " ")" "OR" ")" ]
Because the implicit format
of the subsearch inserts the AND
keyword, making the result of your subsearch ((starttimeu="1234567590" AND endtimeu="1234567890"))
. Splunk syntax doesn't like the AND
with time quantifiers. I personally consider this a bug.
Also, starttimeu
and endtimeu
have been deprecated for some time now. Please use earliest
and latest
instead.
The fix/workaround is to use and explicit format
that doesn't insert the AND
(which isn't necessary anyway):
* [ search sourcetype=fireeye OR sourcetype=imap | eval earliest=_time | eval latest=_time+300 | fields earliest latest | format "(" "(" " " ")" "OR" ")" ]
Another workaround for this is to perform two sub-searches in succession, one of the earliest and one for the latest time values, like this: