topic How to set time span in relative terms? in Splunk Search

How to set time span in relative terms?

ggillini — Tue, 29 Sep 2020 09:08:20 GMT

I have a form where I accept two inputs: a phone number and a time picker for the search. I need to make a search for this phone number in the selected period. Than I need to make one more search (with a join) with a different query for the same phone number but with a different time range: if the first search was made on day x (meaning the user selected day x on time picker), I need the search inside the join to be made on day x to day x+2. I cannot find out a way to get this.
I tried using relative_time() function, but you cannot use it for evaluating "latest" parameter. So I tried defining a macro (found something about that here), but whatever I try I get the usual (meaningless) error "The definition of macro is expected to be an eval expression that returns a string".
Any way to get this? This is my (simplified) query

index=xxx sourcetype="log4j" dstphonenumber =$f_mobileNum$ earliest=$f_time.earliest$ latest=$f_time.latest$ | join type=left smsid [search index=xxx smslogprefix=SOMEVALUE dstphonenumber=$f_mobileNum$ earliest=$f_time.earliest$ latest=WHAT TO PUT HERE? ]

Re: How to set time span in relative terms?

somesoni2 — Fri, 18 Mar 2016 19:51:42 GMT

Try something like this (the subsearch inside the join subsearch is updating the earliest and latest for the join subsearch)

<search>
          <query>
        index=xxx sourcetype="log4j" dstphonenumber =$f_mobileNum$   | join type=left smsid [search index=xxx smslogprefix=SOMEVALUE dstphonenumber=$f_mobileNum$ [| gentimes start=-1 | addinfo | eval earliest=info_min_time | eval latest=relative_time(info_min_time,"+2d") | table earliest latest | format "" "" "" "" "" ""] ] | .....rest of the commands...
          </query>
            <earliest>$f_time.earliest$</earliest>
            <latest>$f_time.latest$</latest>
</search>

Re: How to set time span in relative terms?

ggillini — Mon, 21 Mar 2016 16:25:13 GMT

Thanks for your answer. First of all, with your query I don't get any more errors, and this is ok. Then I need to check if this does what I want, and eventually I will need to understand what it's actually doing, But it is a good start at least

Re: How to set time span in relative terms?

ggillini — Thu, 31 Mar 2016 13:26:55 GMT

Unfortunately it looks like your answer doesn't solve my problem.
The matter is how gentimes command works. In the way you wrote it, it ALWAYS starts from yesterday, so my search will get up to end on today + 2 days. I need to have earliest time equal to the one on the main search, and latest time equal to the one on the main search +2 days.
This means I cannot use a constant in input to gentimes, like you did. I tried using the value of the choice made by the user, but it's not accepted as it is in "time picker" format (a string like '-1d@d'), and it looks like that format is not accepted in a different context.
What it seems to me is that Splunk is quite inconsistent in the way it allows timestamps and time-related values, in general, to be manipulated in different contexts.