All Apps and Add-ons

Info_max_time and info_min_time issue

mr_brightside
Explorer

Hi,

i have a problem with those fields. I use them in my query to calculate some average statistics.

When i select "All time" in the timerange i get:

info_max_time = "+Infinity"
info_min_time = 0.000

Solution for how to get a valid info_max_time comes up with this:

| eval info_min_time=if(info_max_time="+Infinity", min(_time), info_min_time)

But how could i interpret the info_min_time? Sitting it to zero is not applicable, because i use those values for the statistics and none of them could be zero.

I also don't have a _time field, so query like this:

| eventstats min(_time) as min_time
| eval info_min_time=if(info_max_time="+Infinity", min_time, info_min_time)

won't help

Any suggestions?

Many thanks in advance!

1 Solution

samcogheil
Explorer

Hi

info_min_time and info_max_time represent the bounds of your search - time window. So 'All time' will be 0::infinity.Try setting the time window to '7 days' and you will see epoch time limits for both values.

Additionally - you should have a _time field. It's present for all events and is the date/time of the event that you see. Try using | eval time=_time to see values represented in the variable 'time'.

Also ... if I understand correctly what you are trying to report - "the minimum and maximum timestamps for the results of the search query" - you can use | eventstats max(_time) as maxtime, min(_time) as mintime to populate the min / max _time values present in your query results data.

Sam

View solution in original post

samcogheil
Explorer

Hi

info_min_time and info_max_time represent the bounds of your search - time window. So 'All time' will be 0::infinity.Try setting the time window to '7 days' and you will see epoch time limits for both values.

Additionally - you should have a _time field. It's present for all events and is the date/time of the event that you see. Try using | eval time=_time to see values represented in the variable 'time'.

Also ... if I understand correctly what you are trying to report - "the minimum and maximum timestamps for the results of the search query" - you can use | eventstats max(_time) as maxtime, min(_time) as mintime to populate the min / max _time values present in your query results data.

Sam

mr_brightside
Explorer

i've done exactly how you'd posted, thanks

however, there are some principal differences between info_max/min_time and just _time. The main difference is when you select "Last 30 days" info_min_time would be -30d, while min(_time) would be equal to the first syslog we have during this period.

If you calculate something average, then be ready, that the results would be very different from the time, when you've been using info_min/max_time.

This is for others, who will meet this problem.

bnorthway_splun
Splunk Employee
Splunk Employee

It is mathematically impossible to calculate an average where one of the numbers is infinity. In your case, it probably doesn't matter since you'll have events nearly constantly and samcogheil's solution is probably "good enough".

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...