topic Re: earliest, latest and time variables in Splunk Search

earliest, latest and time variables

antonioformato — Sat, 17 May 2014 11:35:57 GMT

Hi all,
I have a requirement to create a dashboard view with following search:

<searchString>
index="my_index"  publicip="'$ip$'" xxx earliest=T1 latest=T11=T1+3d"
| append 
[search index="my_index"  publicip="'$ip$'" yyy earliest=T01=T0-3d latest=T0]
| transaction framed_ip_address
| table username, privateip, publicip
</searchString>

Time in Subsearch:

T1=T0-3days
T01=earliest in time picker selection (from user)

Time in main search:

 T1=latest in time picker selection (from user)
 T11=T1+3 days

How do i figure out this request?
using Splunk 6.1.1.

Thank you
Antonio

Re: earliest, latest and time variables

martin_mueller — Sat, 17 May 2014 23:18:29 GMT

I think your T0, T1, T01, T11 specifications are a little messed up... or I'm not picking them up properly. Provide an example with actual dates for each to clarify.

Additionally, describe what your actual use case is - maybe there's a less convoluted solution.

Re: earliest, latest and time variables

antonioformato — Sun, 18 May 2014 08:15:37 GMT

Hi, example with real time specification:

index="index1" sourcetype="sourcetype1" publicip="'x.x.x.x'"  freed earliest="1/20/2014:12:48:00" latest="1/23/2014:12:48:00"
| append [search index="index1" sourcetype="sourcetype1" publicip="'x.x.x.x'" assigned earliest="1/17/2014:11:48:00" latest="01/20/2014:11:48:00"]
| transaction framed_ip_address, publicportrange startswith=assigned endswith=freed 
| search index="index1" sourcetype="sourcetype1" 
| table username, acct_session_id, acct_unique_id, acct_start_time, acct_stop_time

I tried:

[search index=index1 
| addinfo 
| head 1 
| eval earliest=$field1.earliest$
| eval latest=$field1.earliest$+259200 
| fields earliest,latest 
| format "(" "(" "" ")" "OR" ")" ]
index="index1" sourcetype="sourcetype1" publicip="'$ip$'" freed 
| append 
[ [search index=index1
    | addinfo 
    | head 1 
    | eval earliest=$field1.earliest$-259200
    |eval latest=$field1.latest$ 
    | fields earliest,latest 
    | format "(" "(" "" ")" "OR" ")" ]
    search index="index1" sourcetype="sourcetype1" publicip="'$ip$'" assigned
]
| transaction framed_ip_address, publicportrange startswith=assigned endswith=freed
| search index="index1" sourcetype="sourcetype1"
| table username, acct_session_id, acct_unique_id, acct_start_time, acct_stop_time

with last search I got error on second "head 1".
Thank you
Antonio

Re: earliest, latest and time variables

somesoni2 — Sun, 18 May 2014 18:37:12 GMT

Try this

index="my_index"  publicip="'$ip$'" xxx 
[|stats count | addinfo |eval earliest=info_max_time | eval latest=relative_time(info_max_time,"+3d") 
|table earliest, latest |format "" "" "" "" "" "" ]
| append 
[search index="my_index"  publicip="'$ip$'" yyy 
[|stats count | addinfo |eval latest=info_min_time | eval earliest=relative_time(info_max_time,"-3d") 
|table earliest, latest |format "" "" "" "" "" ""]]
| transaction framed_ip_address
| table username, privateip, publicip

Re: earliest, latest and time variables

antonioformato — Mon, 28 Sep 2020 16:39:19 GMT

It doesn't work.
First error on info_max_time
Second error on append: I cannot use two subsearches after append command.

Any advice is welcome
Thank you
AF

Re: earliest, latest and time variables

martin_mueller — Sun, 18 May 2014 23:57:34 GMT

You can get rid of the append entirely like this:

index="my_index" publicip="'$ip$'" [compute earliest=T0-3d and latest=T1+3d]
(
  ( xxx [compute earliest=T1 and latest=T1+3d] )
  OR
  ( yyy [compute earliest=T0-3d and latest=T0] )
)
| transaction, table, whatever

Note, I'm not sure if I've used the correct T0/T1/etc values, adapt as needed.
Note also the need to calculate the overall envelope of time ranges to avoid Splunk searching over all time. Having only the specific time ranges for each OR branch isn't enough.

Re: earliest, latest and time variables

somesoni2 — Mon, 19 May 2014 21:20:14 GMT

Try the updated answer.