topic Re: Peculiar Time requirement in Splunk Search

Peculiar Time requirement

kengilmour — Wed, 10 Apr 2013 09:51:17 GMT

Hello,

I have a very peculiar time problem that I want to fix with a quick and dirty fix. I am creating a sparkline that I need for a real-time dashboard for the SOC. The problem is that I have a sourcetype and source filename from multiple different servers with different timezone settings. The logfile timestamp doesn't contain the timezone differentiator so it's difficult to write something in the inputs for these files.

A solution that will work though is that if i could see logs for the "earliest=-4h" and "latest=-2h" of course, the problem with this is that it's not real-time and has to be refreshed manually. The logs 2 hours ago are the current latest logs.

So based on http://docs.splunk.com/Documentation/Splunk/latest/Search/Specifytimemodifiersinyoursearch I have come up with:

-2h@now-2h
now@-2h
-2h@now

None of these work and I can't save the sparkline dashboard panel. Am I getting the syntax wrong or is this just not supposed to work this way?

Thanks!

Ken

Re: Peculiar Time requirement

kristian_kolb — Wed, 10 Apr 2013 10:40:31 GMT

earliest=rt-2h would give you a sliding window of the last two hours.

earliest=rt-4h latest=rt-2h would give you a sliding window of the two hours preceeding that.

However, it would probably be best if you corrected your timezones with the props.conf TZ setting for your sources/sourcetypes/hosts.

Re: Peculiar Time requirement

kengilmour — Wed, 10 Apr 2013 11:21:52 GMT

This is brilliant it worked thanks so much! 🙂

Re: Peculiar Time requirement

kengilmour — Wed, 10 Apr 2013 11:22:06 GMT

This is brilliant, it worked! Thanks so much 🙂