I want to build a workflow action in Splunk Enterprise Security which passes an epoch time to a new search, and then find all events from a specified sourcetype +/- 5 seconds from that event. Any ideas? I know how to transform an epoch time to earliest and latest, but that means my search starts with eval commands and I don't get the results I expect. I also tried returning earliest and latest as subsearches with no luck.
↧