I would like to be able to provide a timestamp and have splunk return the log nearest/before the timestamp and nearest/after the timestamp, essentially bookending the provided timestamp.
The use case is that a report is given to me with an "event" occurring at a give timestamp. I want to search and find the authentication "start" and authentication "stop" messages for the device/user associated with the event that encompass the timestamp.
Ideas?