Archive
Highlighted

How does the addinfo command work with time?

Builder

The new fields that are created when using the addinfo cmd

infomintime The earliest time boundary for the search.
infomaxtime The latest time boundary for the search.

How are they calculated ?

I've used the Example 2 as detailed here to create a search : http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Addinfo

Looking to find more info as to what the new created fields do.

thx

0 Karma
Highlighted

Re: How does the addinfo command work with time?

Legend

@Esky73, | addinfo command adds search related metadata info to the search results so that the same can be reused. I think the documentation is fairly detailed as to what each for the info_* fields do

info_min_time         : Earliest time selected for the search you ran (this would be the earliest time from the Time Picker that you run or else if you have used `earliest` parameter in the base search) 

info_max_time         : Latest time selected for the search you ran (this would be the latest time from the Time Picker that you run or else if you have used `latest` parameter in the base search)

info_sid              : The Search ID of the search job that generated the event/s. This will help you re-run the search or pull the results from the search using this ID. (REST endpoints reference are listed here: http://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches#REST_endpoints_for_searches)

info_search_time      : The time when the Search job was executed. This would be the same as info_max_time when your latest time is `now()` or `@s`

If you want to see these values and understand how they work you can change the second query in the addinfo reference documentation like the following and re-run the search with different Time ranges:

<YourBaseSearch>
| stats latest(_time) AS latest_time BY host
| addinfo
| fieldformat latest_time=strftime(latest_time,"%c")
| fieldformat info_min_time=strftime(info_min_time,"%c")
| fieldformat info_max_time=strftime(info_max_time,"%c")
| fieldformat info_search_time=strftime(info_search_time,"%c")
| table host latest info_*

Actually in the query the pipe | eval latest_age = info_max_time - latest_time, is used to calculate theage of last event received per host, using latest event received per host (i.e. latest_time) by subtracting it from latest time which is being seen usinglatest from the time range picker` (i.e. infomaxtime). Let us know if you require further details.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.