https://community.splunk.com/t5/Monitoring-Splunk/How-does-the-addinfo-command-work-with-time/m-p/370869#M5587 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170132">@Esky73</a>, <CODE>| addinfo</CODE> command adds search related metadata info to the search results so that the same can be reused. I think the documentation is fairly detailed as to what each for the <CODE>info_*</CODE> fields do </P> <PRE><CODE>info_min_time : Earliest time selected for the search you ran (this would be the earliest time from the Time Picker that you run or else if you have used `earliest` parameter in the base search) info_max_time : Latest time selected for the search you ran (this would be the latest time from the Time Picker that you run or else if you have used `latest` parameter in the base search) info_sid : The Search ID of the search job that generated the event/s. This will help you re-run the search or pull the results from the search using this ID. (REST endpoints reference are listed here: http://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches#REST_endpoints_for_searches) info_search_time : The time when the Search job was executed. This would be the same as info_max_time when your latest time is `now()` or `@s` </CODE></PRE> <P>If you want to see these values and understand how they work you can change the second query in the addinfo reference documentation like the following and re-run the search with different Time ranges:</P> <PRE><CODE>&lt;YourBaseSearch&gt; | stats latest(_time) AS latest_time BY host | addinfo | fieldformat latest_time=strftime(latest_time,"%c") | fieldformat info_min_time=strftime(info_min_time,"%c") | fieldformat info_max_time=strftime(info_max_time,"%c") | fieldformat info_search_time=strftime(info_search_time,"%c") | table host latest info_* </CODE></PRE> <P>Actually in the query the pipe <CODE>| eval latest_age = info_max_time - latest_time, is used to calculate the</CODE>age of last event received per host<CODE>, using latest event received per host (i.e. latest_time) by subtracting it from latest time which is being seen using</CODE>latest from the time range picker` (i.e. info_max_time). Let us know if you require further details.</P> Tue, 29 Sep 2020 15:26:28 GMT niketn 2020-09-29T15:26:28Z https://community.splunk.com/t5/Monitoring-Splunk/How-does-the-addinfo-command-work-with-time/m-p/370868#M5586 <P>The new fields that are created when using the addinfo cmd</P> <P>info_min_time The earliest time boundary for the search.<BR /> info_max_time The latest time boundary for the search.</P> <P>How are they calculated ?</P> <P>I've used the Example 2 as detailed here to create a search : <A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Addinfo" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Addinfo</A></P> <P>Looking to find more info as to what the new created fields do.</P> <P>thx</P> Tue, 29 Sep 2020 15:22:04 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-does-the-addinfo-command-work-with-time/m-p/370868#M5586 Esky73 2020-09-29T15:22:04Z https://community.splunk.com/t5/Monitoring-Splunk/How-does-the-addinfo-command-work-with-time/m-p/370869#M5587 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170132">@Esky73</a>, <CODE>| addinfo</CODE> command adds search related metadata info to the search results so that the same can be reused. I think the documentation is fairly detailed as to what each for the <CODE>info_*</CODE> fields do </P> <PRE><CODE>info_min_time : Earliest time selected for the search you ran (this would be the earliest time from the Time Picker that you run or else if you have used `earliest` parameter in the base search) info_max_time : Latest time selected for the search you ran (this would be the latest time from the Time Picker that you run or else if you have used `latest` parameter in the base search) info_sid : The Search ID of the search job that generated the event/s. This will help you re-run the search or pull the results from the search using this ID. (REST endpoints reference are listed here: http://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches#REST_endpoints_for_searches) info_search_time : The time when the Search job was executed. This would be the same as info_max_time when your latest time is `now()` or `@s` </CODE></PRE> <P>If you want to see these values and understand how they work you can change the second query in the addinfo reference documentation like the following and re-run the search with different Time ranges:</P> <PRE><CODE>&lt;YourBaseSearch&gt; | stats latest(_time) AS latest_time BY host | addinfo | fieldformat latest_time=strftime(latest_time,"%c") | fieldformat info_min_time=strftime(info_min_time,"%c") | fieldformat info_max_time=strftime(info_max_time,"%c") | fieldformat info_search_time=strftime(info_search_time,"%c") | table host latest info_* </CODE></PRE> <P>Actually in the query the pipe <CODE>| eval latest_age = info_max_time - latest_time, is used to calculate the</CODE>age of last event received per host<CODE>, using latest event received per host (i.e. latest_time) by subtracting it from latest time which is being seen using</CODE>latest from the time range picker` (i.e. info_max_time). Let us know if you require further details.</P> Tue, 29 Sep 2020 15:26:28 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-does-the-addinfo-command-work-with-time/m-p/370869#M5587 niketn 2020-09-29T15:26:28Z