topic Re: Invalid value "$earliest$" for time term 'earliest' in Splunk Search

Invalid value "$earliest$" for time term 'earliest'

dataisbeautiful — Wed, 31 Jul 2024 10:41:22 GMT

Hi Splukers

I'm looking for cross compare some events with other system data, using an initial search for the event and then using map to load data from another index

index=event sourcetype=eventdat | where like(details,"...")) | eval earliest=floor(_time), latest=ceil(_time+2) | table _time details earliest latest | map [ search index=sys_stats sourcetype=statdat device="..." earliest=$earliest$ latest=$latest$ | stats count as counter | eval details=$details$, earliest=$earliest$, latest=$latest$ | table _time details counter earliest latest] maxsearches=10

When running I get the error:
Invalid value "$earliest$" for time term 'earliest'

I've tried $$ and "$...$" with no luck. I can't figure out why $earliest$ isn't being passed.

Any help would be appreciated (:

Notes: I've reviewed these posts but they don't seem relevant

https://community.splunk.com/t5/Splunk-Search/Invalid-value-X-for-time-term-earliest-but-only-for-specific/m-p/624962#M217251

https://community.splunk.com/t5/Splunk-Search/Invalid-value-quot-week-quot-for-time-term-earliest/m-p/469491#M132104

Re: Invalid value "$earliest$" for time term 'earliest'

richgalloway — Wed, 31 Jul 2024 12:25:09 GMT

It's not that $earliest$ is not being passed, it's that the value being passed is invalid. The value for the earliest option must be a time modifier ("-1d", for example) or a timestamp in the format %m/%d/%Y:%H:%M:%S. It cannot be an epoch timestamp, but you can use strftime to convert an epoch into the expected format.

| eval earliest = strftime(earliest, "%m/%d/%Y:%H:%M:%S")

Re: Invalid value "$earliest$" for time term 'earliest'

dataisbeautiful — Wed, 31 Jul 2024 13:45:07 GMT

Hi @richgalloway

Thanks for the tip, I've updated my query

index=event sourcetype=eventdat | where like(details,"...")) | eval earliest=strftime(floor(_time), "%m/%d/%Y:%H:%M:%S"), latest=strftime(ceil(_time+2), "%m/%d/%Y:%H:%M:%S") | table _time details earliest latest | map [ search index=sys_stats sourcetype=statdat device="..." earliest=$earliest$ latest=$latest$ | stats count as counter | eval details=$details$, earliest="$earliest$", latest="$latest$" | table _time details counter earliest latest] maxsearches=10

It's still throwing the error

Invalid value "$earliest$" for time term 'earliest'

Re: Invalid value "$earliest$" for time term 'earliest'

richgalloway — Wed, 31 Jul 2024 14:38:02 GMT

I see another syntax error. The map command expects its search string to be in quotation marks rather than as a subsearch. The $earliest$ form doesn't work in subsearches (except in a dashboard).

index=event sourcetype=eventdat | where like(details,"...")) | eval earliest=strftime(floor(_time), "%m/%d/%Y:%H:%M:%S"), latest=strftime(ceil(_time+2), "%m/%d/%Y:%H:%M:%S") | table _time details earliest latest | map maxsearches=10 search = "index=sys_stats sourcetype=statdat device="..." earliest=$earliest$ latest=$latest$ | stats count as counter | eval details=$details$, earliest=\"$earliest$\", latest=\"$latest$\" | table _time details counter earliest latest"

Re: Invalid value "$earliest$" for time term 'earliest'

dataisbeautiful — Wed, 31 Jul 2024 14:15:33 GMT

Hmm, the documentation says map can use a subsearch

3. Use the map command with a subsearch
For complex ad hoc searches, use a subsearch for your map search

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map#Basic_examples

Re: Invalid value "$earliest$" for time term 'earliest'

richgalloway — Wed, 31 Jul 2024 14:38:45 GMT

I can't say I've seen that form used in the wild.

Re: Invalid value "$earliest$" for time term 'earliest'

PickleRick — Wed, 31 Jul 2024 14:55:17 GMT

I beg to differ.

I've used earliest/latest with epoch timestamps many times.

Re: Invalid value "$earliest$" for time term 'earliest'

dataisbeautiful — Wed, 31 Jul 2024 14:58:43 GMT

Agreed @PickleRick

I've just done a test and epoch times work just fine with earliest and latest in a search. The formatting seems to be a red herring here.

Re: Invalid value "$earliest$" for time term 'earliest'

PickleRick — Wed, 31 Jul 2024 16:52:35 GMT

It's not very common but it lets you avoid escaping yourself to death 😉

Re: Invalid value "$earliest$" for time term 'earliest'

dataisbeautiful — Thu, 01 Aug 2024 15:03:36 GMT

Some more digging, this seems to be the same issue:

https://community.splunk.com/t5/Splunk-Search/Having-a-problem-substituting-value-for-earliest-in-a-map/m-p/33122

Re: Invalid value "$earliest$" for time term 'earliest'

dataisbeautiful — Mon, 21 Oct 2024 08:19:02 GMT

I've been in touch with support, this is a known issue and there's no plan to fix.

There is a workaround that can be used:

| map [search index=_internal [| makeresults | eval earliest=$earliest$, latest=$latest$ | return earliest, latest]

It's a bit longer and needs another subsearch, but can be easier than escaping everything.

Thanks everyone for their input @PickleRick @richgalloway