Splunk Search

Can I set a latest relative to an absolute earliest time so I don't have to type as much?

dreeck
Path Finder

Yes, lazy.

I'd like to search for events an hour after a specific date/time, using earliest like this:

index=fruit fruitType=Banana earliest="01/08/2018:10:00:00" latest=+1h

Instead of my intended results (1 hr of results) I get many days, plus 1 hour in the future (which is exactly what the query above asks for).

Is there some syntax for latest that will search relative time related to an absolute earliest without having to add an eval?

Lazily,

Dave

Tags (2)

elliotproebstel
Champion

The dashboard that @niketnilay coded up for you should do the trick. But if you'd like a strategy for running such a search from the search line, you can use a site like this: https://www.epochconverter.com/

You put in your desired time to convert and select "Local Time". As my browser is set to US Eastern Time (New York), the time stamp from your post converts to this epoch time string: 1516287600. To use this in your search, I'd do like this:

index=fruit fruitType=Banana earliest=1516287600 latest=+1h

If you are in another time zone, you should use that site (or something similar) to convert to an epoch time stamp that is appropriate for your time zone, and then you can use that as a static value for either earliest or latest.

dreeck
Path Finder

Huh. I wonder why I can't do this with a human formatted time. Presumably Splunk can convert my local time to epoch on the back end. Sounds like it only support absolute epoch values for earliest.

0 Karma

elliotproebstel
Champion

Yeah, for earliest, I believe Splunk supports two formats: epoch timestamp and the relative time formats documented here:
https://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/SearchTimeModifiers

0 Karma

niketn
Legend

@dreeck, following is a run anywhere dashboard which sets the earliest time as static value and computes latest time as 1 hour ahead (i.e. 3600 secs)

<form>
  <label>Static Earliest and Latest</label>
  <fieldset submitButton="false">
    <input type="text" token="tokSelectEarliestTime" searchWhenChanged="true">
      <label>Earliest Time</label>
      <default>01/08/2018:10:00:00</default>
      <change>
        <eval token="tokEarliest">strptime($value$,"%m/%d/%Y:%H:%M:%S")</eval>
        <eval token="tokLatest">strptime($value$,"%m/%d/%Y:%H:%M:%S")+3600</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=_internal sourcetype=splunkd earliest="$tokEarliest$"  latest="$tokLatest$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

dreeck
Path Finder

Thank you! My question was regarding how to do this on the search line. This is an interesting technique, but not applicable to my need.

0 Karma

niketn
Legend

@dreeck , please use following answer of mine which has similar example with addinfo which will allow you to do something similar by adding | addinfo command.

https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...