Re: Change Time Window Filter to another type of f...

liondancer · ‎05-24-2018

In the Time Window Filter, I can filter through events based on the time they arrived

However, I would like to filter based on fields within my event. For instance, in all my events, they have these fields:

year=2018 month=01 day=01 hour=01

I can eval this to DateHour=year'-'month'-'day'-'hour to generate 2018-01-01-01. How can I filter using the Time Window by DateHour instead ?

kmaron · ‎06-05-2018

I had to do something similar with a dashboard I was using. It's not 100% but it might help get you close.

TimeRange is the name of my token from the time picker.

start with your DateHour eval
    | eval start_time=relative_time(now(),"$TimeRange.earliest$")
    | eval start_time2="$TimeRange.earliest$"
    | eval start_time=if(start_time>0,start_time,start_time2)
    | eval end_time=relative_time(now(),"$TimeRange.latest$")
    | eval end_time2="$TimeRange.latest$"
    | eval end_time=if(end_time2="now",9999999999,end_time)
    | eval end_time=if(end_time>0,end_time,end_time2)
    | eval timestamp=strptime(DateHour,"%Y-%m-%d-%H")
    | where timestamp>=start_time AND timestamp<=end_time

somesoni2 · ‎05-24-2018

The time range picker (Time Window filter in your dashboard) is applied on the field _time, which is the timestamp of the event in the Splunk. Is _time field for your events doesn't corresponds to these year/month/day/hour field? If not, then you can try this workaround. How this works is your base search is run with a time-range large enough that all events with specific year/month/day/hour are included in (based on their _time value), then you overwrite _time field with your custom date fields and then apply (subsearch) filter based on selected time range. Here I'm assuming relevant events are within one day of selected time range (so if you select last 24 hours, the base search is run for last 48 hours, the addinfo command adds values from your Time Window filter)

your base search e.g. index=foo sourcetype=bar baz=quex... [| gentimes start=-1 | addinfo | eval earliest=info_min_time-86400 | eval latest=info_max_time  | table earliest latest ] 
| eval _time=strptime(year."-".month."-".day." ".hour.":00","%Y-%m-%d %H:%M")
| where _time>=[| gentimes start=-1 | addinfo | eval search=info_min_time | table search] AND _time<[| gentimes start=-1 | addinfo | eval search=info_max_time | table search]
|..rest of the search

liondancer · ‎06-04-2018

Still having trouble with this. I used your sample query and was not able to get any events. I also try to set the range for ALL of 2017 till present.

index=index_1 OR index=index_2 zone=aws OR zone=prem [| gentimes start=-1 | addinfo | eval earliest=info_min_time-86400 | eval latest=info_max_time  | table earliest latest ] 
 | eval _time=strptime(year."-".month."-".day." ".hour.":00","%Y-%m-%d %H:%M")
 | where _time>=[| gentimes start=-1 | addinfo | eval search=info_min_time | table search] AND _time<[| gentimes start=-1 | addinfo | eval search=info_max_time | table search] 
| eval DateHour=year."-".month."-".day."-".hour
| chart sum(event_count) by DateHour, zone

Change Time Window Filter to another type of filtering

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...