Hey all,
I would like to automatically apply some logic to the end of any alert which will help guide users to snap to a particular timeframe around an event (without having to rely on SID lifespan or generated links).
What I'm waiting to do -- I'm wanting to expose epoch times for earliest and latest that user can just paste into the a search to snap to the same time period. The logic I'm wanting to postpend is this-
| addinfo | rename info_sid AS _info_sid | rename info_max_time AS _info_max_time | rename info_min_time AS _info_min_time | rename info_search_time AS _info_search_time
I'm testing this on Splunk 6.3 -- if I append this manually to a search, it works, but I would like to hide this logic from the end users. Any suggestions?
At the end of the day I would like to print something similar to this in the generated email message:
earliest=$result._info_min_time$
latest=$result._info_max_time$
Which would produce something like this:
earliest=1445285820.000
latest=1445285881.137
The following isn't in the correct timestamp format for users to be able to cut and paste into the searches:
Report started : $job.earliestTime$
Report finished : $job.latestTime$
as it shows up like:
Report started : 2015-10-19T20:17:00.000+00:00
Report finished : 2015-10-19T20:18:01.939+00:00
Thanks
↧