topic Re: Setting earliest and latest. in Splunk Search

Setting earliest and latest.

shikata74 — Tue, 21 Jan 2020 16:06:43 GMT

I want to search data from "earliest" to "earliest" + 5 minutes later.

How should I implement it ?

I tried the following, but failed.
index=xxxx earliest="yyyy/mm/dd hh:mm:ss" latest=earliest+5m

Re: Setting earliest and latest.

jpolvino — Tue, 21 Jan 2020 16:57:11 GMT

I'm interested in this as well. Here is a way to do it using a couple steps, not sure it will work in your case.

index=xxxx sourcetype=yyyy earliest="1/21/2020:11:40:00"
| addinfo
| eval latest=info_min_time+300
| where _time<=latest
| (the rest of your search)

The addinfo command is used here to expose internal fields. You can see many of these in the Job Inspector.

Re: Setting earliest and latest.

efavreau — Tue, 21 Jan 2020 17:00:57 GMT

Let me check to see if I understand correctly. Are you looking for your earliest time is be fixed to a date and time, but you want your latest to be a relative time? Either both are fixed or both are relative.

However, If you are looking for both earliest and latest to be relative, than that's possible. Let's look at 2 hours ago for earliest and then 1 hour and 55 minutes ago (5 minutes after the earliest):
earliest=-2h latest=-2h+5m

Re: Setting earliest and latest.

efavreau — Tue, 21 Jan 2020 17:27:33 GMT

This is a creative workaround the absolute/relative time modifiers. I don't understand the use case, but bravo.

Re: Setting earliest and latest.

to4kawa — Tue, 21 Jan 2020 23:31:32 GMT

 your_search  [| makeresults 
| eval earliest="1/22/2020:08:00:00"
| eval earliest=strptime(earliest,"%m/%d/%Y:%T")
| eval latest=relative_time(earliest,"+10m")
| format "(" "" "" "" "" ")"]

Hi, folks.
Making time modifiers, you can take earliest and latest to main search.

Re: Setting earliest and latest.

shikata74 — Wed, 22 Jan 2020 01:19:07 GMT

Thank you for your help.
I can get the results which I want.

Re: Setting earliest and latest.

jpolvino — Wed, 22 Jan 2020 12:59:04 GMT

Be sure to "accept as answer" the solution that works for you so that others can benefit,

Re: Setting earliest and latest.

shikata74 — Wed, 30 Sep 2020 03:53:52 GMT

Please advice me,

I want to use relative time in the "earliest".
Because "formtime" in the below is set when clicked in the dashboard.

I tried below, but I can't get anything.

Re: Setting earliest and latest.

to4kawa — Thu, 23 Jan 2020 08:49:55 GMT

| eval formtime=strptime(ss,"%m/%d/%Y:%T")
ss?

Re: Setting earliest and latest.

shikata74 — Wed, 30 Sep 2020 03:48:05 GMT

Sorry,

$time1$ is decided when _time is clicked on the dashboard.

Re: Setting earliest and latest.

to4kawa — Thu, 23 Jan 2020 17:53:48 GMT

index=xxx my_search
[| makeresults
| eval formtime=$time1$
| eval earliest=relative_time(formtime,"-10m")
| eval latest=relative_time(formtime,"+10m")
| format "(" "" "" "" "" ")"]

$time1$ is epoch. do not strptime()

Re: Setting earliest and latest.

shikata74 — Fri, 24 Jan 2020 03:09:51 GMT

Thank you,

I think earliest and latest are set correctly, but no data was retrieved.
( Data in the time range exist definitely. )

Do u have any idea ?

Re: Setting earliest and latest.

to4kawa — Fri, 24 Jan 2020 09:52:56 GMT

wrong viz, maybe.

Re: Setting earliest and latest.

shikata74 — Wed, 30 Sep 2020 03:54:47 GMT

Thank you.