topic Splunk relative time in Splunk Search

Splunk relative time

jdmclemore — Sat, 03 Oct 2020 05:08:43 GMT

Today is 10/2/2020. I need to execute 6 searches using relative time for last month (earliest= & latest=) that are each 5 days in length.

Specifically:

9/01/2020:00:00:00 - 9/05/2020:23:59:59

9/06/2020:00:00:00 - 9/10/2020:23:59:59

9/11/2020:00:00:00 - 9/15/2020:23:59:59

9/16/2020:00:00:00 - 9/20/2020:23:59:59

9/21/2020:00:00:00 - 9/25/2020:23:59:59

9/26/2020:00:00:00 - 9/30/2020:23:59:59

I'd love to use these exact times as earliest/latest, or even epoch times, but that won't work in my particular situation.

How can I represent the 6 spans above in relative time?

Re: Splunk relative time

gcusello — Sat, 03 Oct 2020 06:25:33 GMT

Hi @jdmclemore,

let me understand: you want to count events in the period from 9/01/2020:00:00:00 to 9/30/2020:23:59:59 wiyj a span of 5 days, is it correct?

if this is your need, please, try something like this:

your search earliest="9/01/2020:00:00:00" latest="9/30/2020:23:59:59" | timechart span=5d count

Ciao.

Giuseppe

Re: Splunk relative time

jdmclemore — Sat, 03 Oct 2020 12:21:13 GMT

Hi - thanks for the reply.

No, not counting events, just doing regular searches. But I'm wondering how you would represent each of those time spans with relative time notation instead of using the actual time. I know, it's a strange request...but can it be done?

Re: Splunk relative time

Nisha18789 — Sat, 03 Oct 2020 22:22:34 GMT

hi @jdmclemore , you can use below notation for relative times

earliest=-30d@d latest=-25d@d

Re: Splunk relative time

inventsekar — Sun, 04 Oct 2020 03:53:13 GMT

Hi @jdmclemore ..

As @gcusello suggested, for earliest and latest times, we can simply use the exact times as well.

(Use the earliest and latest modifiers to specify custom and relative time ranges. You can specify an exact time such as earliest="10/5/2016:20:00:00", or a relative time such as earliest=-h or latest=@w6.)

or, to convert your required times to epoch, pls use this strptime command:

Please check it:

(PS - i have given around 500+ karma points so far, received badge for that, if an answer helped you, a karma point would be nice!. we all should start "Learn, Give Back, Have Fun")

Re: Splunk relative time

inventsekar — Sun, 04 Oct 2020 05:19:15 GMT

now=10/3/20 11:08:48.000 PM

Hi @Nisha18789 .. the idea was good.. but it may give some issues:
index=ioc earliest=-30d@d latest=-25d@d
(you can open the inspect job and see the exact timeframe which was applied for your search)

9/3/20 12:00:00.000 AM - 9/8/20 12:00:00.000 AM

Hi @jdmclemore ... Please try these methods:

index=ioc earliest=-1mon@mon latest=-1mon@+2d@d
(you can open the inspect job and see the exact timeframe which was applied for your search)

9/1/20 12:00:00.000 AM - 9/5/20 12:00:00.000 AM

index=ioc earliest=-1mon@+2d@d latest=-1mon@+7d@d

9/5/20 12:00:00.000 AM - 9/10/20 12:00:00.000 AM

Re: Splunk relative time

jdmclemore — Tue, 06 Oct 2020 13:48:32 GMT

That's what I was looking for - thank you!