topic Re: Earliest + |search doesn't work in Dashboards & Visualizations

Earliest + |search doesn't work

gschmitz — Tue, 26 Mar 2013 05:04:59 GMT

Hi all,
I got some weird behavior with earliest. This one works just fine
index=ci-x sourcetype=cpuByType earliest=-1d
where as
index=ci-x sourcetype=cpuByType |search earliest=-1d
does not. From
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Search#Time_options
however I expected it to work.
Can anybody share some light into this?

The reason I want to do it this way is, that I want to accelerate some common stored search and show different ranges later in my charts. If you know a better way to achieve fast charts, please let me know 🙂

Re: Earliest + |search doesn't work

gschmitz — Tue, 26 Mar 2013 05:26:25 GMT

It's getting more and more weird:
|savedsearch "CPU Load By Type" earliest=-d
works as expected, but when my form renders the template for the chart it simply drops the earliest altogether!
I almost think I found a bug here...

Re: Earliest + |search doesn't work

sideview — Tue, 26 Mar 2013 07:37:14 GMT

The ability to put earliest and latest searchterms into the search clause feels very natural but it's kind of a backdoor. Earliest and latest are technically separate API arguments, that you specify them separately from the searchstring. Splunk allows you to put them into the search string, but it's more like it's doing you a favor. And there are some limitations. As you've found, they only work if they are in the initial search clause, but also you can't use them in boolean expressions like (earliest=-1d latest=now) OR (earliest=-4d latest=-3d). And if you try such things splunkd will often ignore you.

As to how you might filter by time outside of the first search clause, say for a situation where you have some existing scheduled search results and you want to apply postProcess logic to it, you can filter the rows by time by simply comparing the _time values using search or where. Remember when you do this, that _time may sometimes look and feel like a string-formatted time, but it's actually an epochtime value, meaning it's just the number of seconds since 01/01/1970.

Here are some examples:

| where _time<relative_time(now(), "-1d@d")

| where _time<someOtherEpochTimeValuedField

| where _time>relative_time(now(), "-4h") AND _time<relative_time(now(), "-2h")

Re: Earliest + |search doesn't work

gschmitz — Tue, 26 Mar 2013 07:45:29 GMT

Works for me. Didn't think about combining where with relative_time
Note: you can also limit the results within the and <table> elements in a form!