topic Re: How do I get search start time and end time value ? in Splunk Search

How do I get search start time and end time value ?

zacksoft — Thu, 24 Sep 2020 16:00:21 GMT

How do I get the job-execution start time and job execution endtime of my query as output of the query.

index = some_index source = somesoure
| some_logic added here
| eval search_starttime = $job.earliestTime$
| eval search_endtime = $job.latestTime$
| table some_logic_output search_starttime search_endtime

I am seeing no result for the search_starttime and search_endtime column in my table.
Any help ?

What I mean here is, how do I get the _time value for the earliest event and the _time value of my latest event of my search resultset ?

Re: How do I get search start time and end time value ?

richgalloway — Thu, 24 Sep 2020 15:30:17 GMT

Try addinfo.

Re: How do I get search start time and end time value ?

zacksoft — Thu, 24 Sep 2020 15:58:34 GMT

@richgalloway It gives me search_starttime as 0 and search_endtime as+infinity. 😞
Sorry , for the confusion.
But what I meant is, how do I get the _time value for the earliest event and the _time value of my latest event of my search result.

Re: How do I get search start time and end time value ?

isoutamo — Thu, 24 Sep 2020 16:06:47 GMT

Please try

.... | stats .... earliest_time(_time) as eTime latest_time(_time) as lTime ....

Re: How do I get search start time and end time value ?

zacksoft — Thu, 24 Sep 2020 16:32:58 GMT

Thanks @isoutamo
But my problem is if I use stats then that value isn't get dynamically passed to the macro.

search index = index_name source = source_name
| fields + bio, _time
| stats earliest_time(_time) as eTime latest_time(_time) as lTime
| eval Proj_Name = "my big project"
| `my_Macro(Proj_name, eTime, lTime)`
|table proj_value , proj_date

In the above case the macro doesn't get invoked.

However if I change something like below then the macro works and I get the desired result.

search index = index_name source = source_name
| fields + bio, _time
| eval eTime=6735475120.999
|eval lTime=6542213344.976
| eval Proj_Name = "my big project"
| `my_Macro(Proj_name, eTime, lTime)`
|table proj_value , proj_date

It works with eval statement But I cannot hard-code the earliest and latest time. It has to to be dynamic based on the latest_event time and earliest event time. In the macro eTime and lTime values gets passed as earliest and latest values of a dashboard URL, and the Macro outputs that URL along with few other values.

Re: How do I get search start time and end time value ?

pwilson — Thu, 08 Sep 2022 18:10:52 GMT

The eventstats command is what you're looking for. Please try:

search index = index_name source = source_name
| fields + bio, _time
| eventstats earliest_time(_time) as eTime latest_time(_time) as lTime
| eval Proj_Name = "my big project"
| `my_Macro(Proj_name, eTime, lTime)`
| table proj_value , proj_date

eventstats splunk doc