topic Re: Restrict search to exclude events from today in Splunk Search

Restrict search to exclude events from today

cafissimo — Thu, 07 Nov 2013 12:18:57 GMT

Hello,
I would like to know how is it possible to narrow every search that a user can launch to exclude events comin from 00:00 of current day.
i know I could use latest=@d, but since the search is issued in a form where there's also a timerange picker, if I put latest=@d it completely override the time range chosen by user.
Maybe should I do some eval after the initial search (

| eval bla bla about time).?

Thanks in advance and kind regards.

Luca Caldiero

Re: Restrict search to exclude events from today

martin_mueller — Thu, 07 Nov 2013 12:39:05 GMT

A dirty way would be to modify the search underneath the form to include this:

... | where _time < relative_time(now(), "@d") | ...

That won't work if users can type in their own search of course. I don't think there's a way to force people into a specific timerange if they also have custom time available from a time range picker.

Re: Restrict search to exclude events from today

cafissimo — Thu, 07 Nov 2013 13:09:22 GMT

Well,
that is what I was looking for. I agree with you that it is a dirty way.
I've also modified times.conf to exclude certain time periods (last 60 minutes, last 4 hours and so on).
I will put this where condition into my form, even if I am quite sure it will slow down searches.

Thanks a lot