- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to convert field to be used by value in the Ti...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good morning,
The challenge here is that the Security Center alerts are based on properties.detectedTimeUtc field.
When looking at the event pulled in by the add-on, the _time is the time the event was pulled, not when the event actually occurred.
This means the dashboards are not accurate for last 24 hours, etc.
So, trying to convert the properties.detectedTimeUtc field to epoch, then replace the value of _time so the time picker will work.
However, every time I try to touch properties.detectedTimeUtc, the value just blanks out.
We have tried all of these, and the value always comes back blank
| eval epoch_time=strptime(properties.detectedTimeUtc,"%Y-%m-%dT%H:%M:%S.%3N")
| eval properties.detectedTimeUtc=strftime(strptime(properties.detectedTimeUtc, "%m/%d/%YT%H:%M:%S.%7NZ"), "%m/%d/%Y")
| eval newfieldname=properties.detectedTimeUtc
(yes the newfieldname value is blank when outputted to a table.)
The value in the field is: 2019-05-30T07:23:09.0458965Z
Anyone know how to convert this field so I can use this value in the Time Picker on a Dashboard?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it! I had help from AP
I also had help from
https://www.splunk.com/blog/2016/09/16/i-cant-make-my-time-range-picker-pick.html
We do have tons of duplicate data from this add-on however. It does not include a checkpoint
So basically what this does is fill the value of _time, so that it is the same value as the detectedTimeUtc field. Then the time picker will use this for the range.
index=azure sourcetype=azure:securityCenter:alert | dedup "properties.detectedTimeUtc" "properties.instanceId" "properties.compromisedEntity"
| rex field=properties.detectedTimeUtc "(?.*)."
| eval atime=strptime(timer,"%Y-%m-%dT%H:%M:%S")
| eval timestamp=strftime(atime,"%Y-%m-%dT%H:%M:%S")
| eval _time=strptime(timer,"%Y-%m-%dT%H:%M:%S")
| sort 0 _time
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time)
| eval Start_Time=strftime(info_min_time,"%m/%d/%y")
| eval Stop_Time=strftime(info_max_time,"%m/%d/%y")
| table _time timer properties.detectedTimeUtc Start_Time Stop_Time "properties.alertDisplayName" "properties.compromisedEntity" "properties.instanceId" "properties.reportedSeverity" "properties.description"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it! I had help from AP
I also had help from
https://www.splunk.com/blog/2016/09/16/i-cant-make-my-time-range-picker-pick.html
We do have tons of duplicate data from this add-on however. It does not include a checkpoint
So basically what this does is fill the value of _time, so that it is the same value as the detectedTimeUtc field. Then the time picker will use this for the range.
index=azure sourcetype=azure:securityCenter:alert | dedup "properties.detectedTimeUtc" "properties.instanceId" "properties.compromisedEntity"
| rex field=properties.detectedTimeUtc "(?.*)."
| eval atime=strptime(timer,"%Y-%m-%dT%H:%M:%S")
| eval timestamp=strftime(atime,"%Y-%m-%dT%H:%M:%S")
| eval _time=strptime(timer,"%Y-%m-%dT%H:%M:%S")
| sort 0 _time
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time)
| eval Start_Time=strftime(info_min_time,"%m/%d/%y")
| eval Stop_Time=strftime(info_max_time,"%m/%d/%y")
| table _time timer properties.detectedTimeUtc Start_Time Stop_Time "properties.alertDisplayName" "properties.compromisedEntity" "properties.instanceId" "properties.reportedSeverity" "properties.description"
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
