topic Re: How to use two time ranges in one search in Dashboards & Visualizations

How to use two time ranges in one search

anuremanan88 — Thu, 05 Oct 2017 20:41:53 GMT

Hi I am trying to search for two event types each in different time range. Here i am using time token. The eventtypes are "Password Change" and "Login". When i apply search for last 4 hrs, my query should search "password change" event for last 4 hrs and "login" event for last 8hrs. Similarly when i change the time filter my query should change accordingly.

index=new (EventType="Password Change" earliest=$token.earliest$ latest=$token.earliest$) OR (EventType="Login" earliest=$token.earliest$-4h latest=$token.earliest$) | remaining query

Anyone can help me in this?

Re: How to use two time ranges in one search

niketn — Fri, 06 Oct 2017 06:35:39 GMT

@anuremanan88, I think you need to use sub-searches for two different EventType with specific timerange using earliest and latest. You can use append, join, multisearch or union command based on your use case(search type). Refer to the following documentation for deciding your option/s:

http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Union

Re: How to use two time ranges in one search

cmerriman — Fri, 06 Oct 2017 12:13:10 GMT

try this:

index=new (EventType="Password Change" earliest=$earliest.earliest$) OR (EventType="Login" earliest=$earliest.earliest$-4h latest=$earliest.earliest$)

to see the token for earliest, use <form script="showtokens.js"> at the top of the source code. when i was testing it, my earliest was $earliest.earliest$ , not $token.earliest$ . You don't need to put a latest in your first search, if you're looking for the last four hours. if you do want a latest, perhaps use latest=$earliest.earliest$+4h

<form script="showtokens.js">
  <label>testdash</label>
  <fieldset submitButton="true">
    <input type="time" token="earliest">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=myindex (sourcetype=mysource1 earliest=$earliest.earliest$) OR (sourcetype=mysource2 earliest=$earliest.earliest$-4h latest=$earliest.earliest$)|stats earliest(_time) latest(_time) by sourcetype</query>
          <earliest>-4h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

Re: How to use two time ranges in one search

anuremanan88 — Fri, 06 Oct 2017 13:40:05 GMT

Hi ,

Thank You for your inputs. This worked when i use relative time as input. However when i give Date and time range as input. i am getting the below error

Invalid value "1506657600-4h" for time term 'earliest'

Hoe to fix this?

Re: How to use two time ranges in one search

niketn — Fri, 06 Oct 2017 13:45:15 GMT

@ anuremanan88, Try $earliest.earliest$-14400 instead of $earliest.earliest$-4h

Re: How to use two time ranges in one search

anuremanan88 — Fri, 06 Oct 2017 14:04:03 GMT

It gives the same result " Invalid value "1506657600-14400" for time term 'earliest' "