All Apps and Add-ons

Custome time "Now" passes nothing

kmattern
Builder

I have a search that looks, in part, like this:

sourcetype=iis cs_uri_stem=*$pub$*.pdf*
earliest=$search.timeRange.earliest$
latest=$search.timeRange.latest$   
| dedup _time, cs_username

All the parameters pass correctly except when the user selects Custom time from the Time picker and clicks on Now. In that event nothing is passed and the search looks like this:

sourcetype=iis cs_uri_stem=*01-c35caa-1*.pdf*
earliest=1393394400
latest=   
| dedup _time, cs_username

I'm not using a Redirector or a URLLoader as all this is happening in one panel.

Why is Latest showing as nothing/Null?

1 Solution

sideview
SplunkTrust
SplunkTrust

1) The best solution here is to just not use the earliest="" and latest="" searchterms in the search at all. the searchterms for the all-time timerange are technically empty. ie the "all time" search is a lack of time terms.

If you just dont put those terms into the 'search' param of the Search module, the module will pick them up and use them to dispatch the search. Don't use an earliest param or latest param either.

2) The only reason you would ever need the legacy searchterms in there explicitly like that is if you were in a subsearch and you needed the subsearch to run over a different timerange than the outer search. If that's the case here, let me know and I'll update my answer.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Instead of this

[ search * | head 1 | eval ... ]

You may want to use this:

[ stats count | eval ... ]

That way you don't even need to touch all default indexes to grab that one event.

sideview
SplunkTrust
SplunkTrust

1) The best solution here is to just not use the earliest="" and latest="" searchterms in the search at all. the searchterms for the all-time timerange are technically empty. ie the "all time" search is a lack of time terms.

If you just dont put those terms into the 'search' param of the Search module, the module will pick them up and use them to dispatch the search. Don't use an earliest param or latest param either.

2) The only reason you would ever need the legacy searchterms in there explicitly like that is if you were in a subsearch and you needed the subsearch to run over a different timerange than the outer search. If that's the case here, let me know and I'll update my answer.

kmattern
Builder

Nick, you're right. I think I duplicated the top portion of an earlier search that drilled down to another search and used them to pass the time ranges. I didn't need them in this search.

I removed them from the search.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

one workaround will be to use below instead of phrase 'latest=$search.timeRange.latest$'

[* | head 1 | eval latest=coalesce($search.timeRange.latest,now()) | table latest]

0 Karma

theouhuios
Motivator

I think that's because it makes it a real time search where the time of the dispatch is considered as the earliest timestamp and increases the data as the data comes in. So there is no latest value for it as time keeps increasing.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...