https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367123#M108286 <P>I want to run a query every 5 minutes starting from today 7 AM to next day 5 AM and so on. Throughout my run earliest time should be 7 AM today and latest can be now.</P> <P>I tried several combinations but everything messed up when running over the mid noght. after the 12 00 AM the earliest is becoming invalid. All of the below methods taking earliest time as 7 AM till end of the day. when running after the mid night throwing error saying earliest time should not be greater than latest time.</P> <PRE><CODE>Try 1 | makeresults | eval starttime=strptime(strftime(now(),"%d/%m/%Y 07:00:00 AM"),"%d/%m/%Y %I:%M:%S %p") , endtime=starttime+7920 Try 2 earliest=@d+7h Try 3 | eval now=now() | eval earliest=relative_time(now, "@d+1d+7h") | eval earliest=if((earliest&lt;now), earliest, relative_time(now, "@d+7h")) | eval search = "earliest=" . earliest | table search] </CODE></PRE> Wed, 27 Dec 2017 16:56:04 GMT Kwip 2017-12-27T16:56:04Z https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367123#M108286 <P>I want to run a query every 5 minutes starting from today 7 AM to next day 5 AM and so on. Throughout my run earliest time should be 7 AM today and latest can be now.</P> <P>I tried several combinations but everything messed up when running over the mid noght. after the 12 00 AM the earliest is becoming invalid. All of the below methods taking earliest time as 7 AM till end of the day. when running after the mid night throwing error saying earliest time should not be greater than latest time.</P> <PRE><CODE>Try 1 | makeresults | eval starttime=strptime(strftime(now(),"%d/%m/%Y 07:00:00 AM"),"%d/%m/%Y %I:%M:%S %p") , endtime=starttime+7920 Try 2 earliest=@d+7h Try 3 | eval now=now() | eval earliest=relative_time(now, "@d+1d+7h") | eval earliest=if((earliest&lt;now), earliest, relative_time(now, "@d+7h")) | eval search = "earliest=" . earliest | table search] </CODE></PRE> Wed, 27 Dec 2017 16:56:04 GMT https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367123#M108286 Kwip 2017-12-27T16:56:04Z https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367124#M108287 <P>Try like this</P> <PRE><CODE>your base search [| makeresults | eval earliest=if(now()&lt;=relative_time(now(),"@d+5h"),"-1d@d+7h","@d+7h") | eval latest="now" | table earliest latest ] </CODE></PRE> Wed, 27 Dec 2017 17:08:48 GMT https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367124#M108287 somesoni2 2017-12-27T17:08:48Z https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367125#M108288 <P>Try something like this:</P> <PRE><CODE>&lt;your base search&gt; [| makeresults | addinfo | eval latest=now() | eval today_7_am=relative_time(latest, "@d+7h") | eval yesterday_7_am=relative_time(latest, "-1d@d+7h") | eval earliest=if(today_7_am&lt;latest, today_7_am, yesterday_7_am) | table earliest] </CODE></PRE> <P>That does a simple comparison of your calculated earliest times to determine which was actually in the past, and chooses that one. </P> Wed, 27 Dec 2017 17:20:13 GMT https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367125#M108288 micahkemp 2017-12-27T17:20:13Z https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367126#M108289 <P>This seems to be a <A href="https://answers.splunk.com/answers/582477/how-do-i-set-search-start-time-and-end-time-on-das.html">duplicate</A>.</P> Wed, 27 Dec 2017 18:30:43 GMT https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367126#M108289 micahkemp 2017-12-27T18:30:43Z https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367127#M108290 <P><CODE>index=_internal [| makeresults | eval earliest=if(now()&lt;=relative_time(now(),"@d+5h"),"-1d@d+7h","@d+7h") | eval latest="now" | table earliest latest ]</CODE></P> <P>I tried it and it gave me an error "<EM>Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side</EM>."</P> <P>How to create new earliest and latest time fields and use them in query </P> Wed, 27 Dec 2017 22:55:43 GMT https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367127#M108290 nawazns5038 2017-12-27T22:55:43Z https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367128#M108291 <P>Verifying this query. Working fine now. Will verify over mid night window and let you know the outcome.</P> Thu, 28 Dec 2017 01:23:44 GMT https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367128#M108291 Kwip 2017-12-28T01:23:44Z https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367129#M108292 <P>Verifying this query. Working fine now. Will verify over mid night window and let you know the outcome.</P> Thu, 28 Dec 2017 01:29:06 GMT https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367129#M108292 Kwip 2017-12-28T01:29:06Z https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367130#M108293 <P>@ somesoni2,<BR /> Wow!! Thank you very much It is working fine!</P> Thu, 28 Dec 2017 06:15:53 GMT https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367130#M108293 Kwip 2017-12-28T06:15:53Z https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367131#M108294 <P>@ micahkemp,<BR /> Wow!! Thank you very much It is working fine!</P> Thu, 28 Dec 2017 06:16:30 GMT https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367131#M108294 Kwip 2017-12-28T06:16:30Z https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367132#M108295 <P>How did you verify ? </P> <P>How did you use the earliest and latest time fields created by the query into _time of Splunk. </P> Thu, 28 Dec 2017 22:00:46 GMT https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367132#M108295 nawazns5038 2017-12-28T22:00:46Z https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367133#M108296 <P>@nawazns5038<BR /> You no need anything else apart from adding the particular portion in the query.</P> <PRE><CODE>your base search [| makeresults | eval earliest=if(now()&lt;=relative_time(now(),"@d+5h"),"-1d@d+7h","@d+7h") | eval latest="now" | table earliest latest ] | stats/eval/table/or whatever operation you want to perform. </CODE></PRE> <P>While running this query, running span will be automatically taken from this query.</P> Fri, 29 Dec 2017 01:28:48 GMT https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367133#M108296 Kwip 2017-12-29T01:28:48Z https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367134#M108297 <P>@somesoni2<BR /> I am getting below error while using this query after the splunk upgrade to 7.0. Any thoughts?</P> <P>Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side.</P> Thu, 02 Aug 2018 21:04:22 GMT https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367134#M108297 Kwip 2018-08-02T21:04:22Z https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367135#M108298 <P>Try this</P> <PRE><CODE>your base search [| makeresults | eval earliest=if(now()&lt;=relative_time(now(),"@d+5h"),"-1d@d+7h","@d+7h") | eval latest="now" | table earliest latest | format ] | stats/eval/table/or whatever operation you want to perform. </CODE></PRE> <P>OR</P> <PRE><CODE>your base search [| makeresults | eval earliest=if(now()&lt;=relative_time(now(),"@d+5h"),"-1d@d+7h","@d+7h") | eval latest="now" | table earliest latest | format "" "" "" "" "" ""] | stats/eval/table/or whatever operation you want to perform. </CODE></PRE> Thu, 02 Aug 2018 23:17:09 GMT https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367135#M108298 somesoni2 2018-08-02T23:17:09Z https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367136#M108299 <P>Thank you @somesoni2, It is working fine.</P> Fri, 03 Aug 2018 18:08:52 GMT https://community.splunk.com/t5/Splunk-Search/Query-running-time/m-p/367136#M108299 Kwip 2018-08-03T18:08:52Z