topic custom time range to sub search in Splunk Search

custom time range to sub search

amerineni — Wed, 30 Sep 2020 02:19:54 GMT

Hi, I want to run a search for a selected time range, and also want to do a sub search for the same duration in the previous interval. For example if user selects the last 60 mins as time range, then i want to do a sub search for the previous hour. Please help me how we can achieve this. Thanks.

..my search | eval range=info_max_time - info_min_time | [search earliest=earliest from time range - range latest=latest from time range - range]

Re: custom time range to sub search

HiroshiSatoh — Tue, 24 Sep 2019 05:21:33 GMT

For search, the sub-search is searched first. Therefore, it is possible to set the time range of the original search based on the subsearch results.

index=_internal source=*splunkd_access.log* [search earliest=-1d@d index=_internal source=*splunkd.log* ERROR | tail 1 | eval earliest=_time-60 | eval latest=_time+60 | table earliest latest | format "(" "(" "" ")" "OR" ")" ]

I changed it dynamically. There are default restrictions on the subsearch results, so change them.

index=_internal source=*splunkd_access.log* 
 [| makeresults 
  | addinfo 
  | eval latest=info_min_time
  | eval earliest=latest-(info_max_time-info_min_time)
  | table earliest latest 
  | format "(" "(" "" ")" "OR" ")" ]
| head 1
| append [search index=_internal source=*splunkd_access.log*|head 1]

Re: custom time range to sub search

amerineni — Tue, 24 Sep 2019 17:22:07 GMT

the time range is not fixed here. If user selects last 60 mins, then i should compare the trend with the previous 60 mins. If user selects last 4 hours in time picker, the the subs search should compare the results with 4 hours before that time range. So the subs search time range should be calculated dynamically based on the user picked time range.

Re: custom time range to sub search

HiroshiSatoh — Wed, 25 Sep 2019 05:01:40 GMT

Added answer.