Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Time-modifiers relative to the time-picker

DrRich
Explorer
‎08-15-2017 06:40 AM

I have a Splunk query that returns 3 event types. I'd like the "Start" type events to be set by the time-picker and I'd like the "Stop" and "Portal" events to be driven by the time-picker plus or minus 2 days at each end. For example, if I choose the 2nd Aug for "Start" events I'd like to return the 1st to 3rd August for "Stop" and "Portal" events. Any ideas?

Thanks in advance.

 index=50 (type="Start" AND termination_cause!="Resumed" {date range A}) 
   OR (type="Stop" AND termination_cause!="Suspect-Logout" {date-range B}) 
   OR (type="Portal" view="PortalView_Process_*" {date range C})
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DrRich
Explorer
‎08-16-2017 07:21 AM

I've made some progress and I've now got the script to run (see below) but the output isn't what I was expecting. It appears that the time picker is overriding the time ranges set for the "Stop" and "Portal" events, so if I select yesterday (15th Aug) only events that occurred on the 15th for all three types are returned. I've also included a screenshot of the output. Any Ideas?

Thanks

alt text

index=50 (type="Start" AND termination_cause!="Resumed") 
     OR (type="Stop" AND termination_cause!="Suspect-Logout" [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-2d@d") | eval latest=relative_time(info_min_time,"+2d@d") | table earliest latest | format "" "" "" "" "" ""]) 
     OR (type="Portal" view="PortalView_Process_*" [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-2d@d") | eval latest=relative_time(info_min_time,"+2d@d") | table earliest latest | format "" "" "" "" "" ""])
  | eval session_start_time_unix=if(type="Start",_time,"")
  | eval session_stop_time_unix=if(type="Stop",_time,"")
  | eval session_portal_time_unix=if(type="Portal",_time,"")
  | eval session_start_time=strftime(session_start_time_unix,"%Y/%m/%d %H:%M:%S")
  | eval session_stop_time=strftime(session_stop_time_unix,"%Y/%m/%d %H:%M:%S")
  | eval session_portal_time=strftime(session_portal_time_unix,"%Y/%m/%d %H:%M:%S")
  | stats min(session_start_time) as earliest_start_time, max(session_start_time) as latest_start_time, min(session_stop_time) as earliest_stop_time, max(session_stop_time) as latest_stop_time, min(session_portal_time) as earliest_portal_time, max(session_portal_time) as latest_portal_time

View solution in original post

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

DrRich
Explorer
‎08-16-2017 07:21 AM

I've made some progress and I've now got the script to run (see below) but the output isn't what I was expecting. It appears that the time picker is overriding the time ranges set for the "Stop" and "Portal" events, so if I select yesterday (15th Aug) only events that occurred on the 15th for all three types are returned. I've also included a screenshot of the output. Any Ideas?

Thanks

alt text

index=50 (type="Start" AND termination_cause!="Resumed") 
     OR (type="Stop" AND termination_cause!="Suspect-Logout" [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-2d@d") | eval latest=relative_time(info_min_time,"+2d@d") | table earliest latest | format "" "" "" "" "" ""]) 
     OR (type="Portal" view="PortalView_Process_*" [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-2d@d") | eval latest=relative_time(info_min_time,"+2d@d") | table earliest latest | format "" "" "" "" "" ""])
  | eval session_start_time_unix=if(type="Start",_time,"")
  | eval session_stop_time_unix=if(type="Stop",_time,"")
  | eval session_portal_time_unix=if(type="Portal",_time,"")
  | eval session_start_time=strftime(session_start_time_unix,"%Y/%m/%d %H:%M:%S")
  | eval session_stop_time=strftime(session_stop_time_unix,"%Y/%m/%d %H:%M:%S")
  | eval session_portal_time=strftime(session_portal_time_unix,"%Y/%m/%d %H:%M:%S")
  | stats min(session_start_time) as earliest_start_time, max(session_start_time) as latest_start_time, min(session_stop_time) as earliest_stop_time, max(session_stop_time) as latest_stop_time, min(session_portal_time) as earliest_portal_time, max(session_portal_time) as latest_portal_time
Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

rvany
Communicator
‎08-16-2017 12:34 PM

Just some kind off feedback - I tried a partial search taken from your current one:

index=syslogs [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-2d@d") | eval latest=relative_time(info_min_time,"+2d@d") | table earliest latest | format "" "" "" "" "" ""]

This works as expected. I tried as a normal search and also as a report.

BTW [OT]: could you tell me how to format code with line numbers?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-15-2017 07:43 AM

Try this
*Updated (added format command to resolve search time error) *

index=50 (type="Start" AND termination_cause!="Resumed") 
    OR (type="Stop" AND termination_cause!="Suspect-Logout" [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-2d@d") | eval latest=relative_time(info_min_time,"+2d@d") | table earliest latest | format "" "" "" "" "" ""]) 
    OR (type="Portal" view="PortalView_Process_*" [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-2d@d") | eval latest=relative_time(info_min_time,"+2d@d") | table earliest latest  | format "" "" "" "" "" ""])
0 Karma
Reply
Solved! Jump to solution

DrRich
Explorer
‎08-16-2017 06:32 AM

Thanks for this. I seem to be getting an error when I try and run this search it says:

Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side.

Am I missing something?

Thanks in advance

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-16-2017 08:32 AM

Try the updated answer.

0 Karma
Reply
Solved! Jump to solution

DrRich
Explorer
‎08-16-2017 11:57 AM

Thanks for this, it now runs but the time picker is overriding the time ranges set for the "Stop" and "Portal" events, so if I select yesterday (15th Aug) only events that occurred on the 15th for all three types are returned (see my update below). Any ideas as I'm out of them now. Thanks

0 Karma
Reply
Solved! Jump to solution

rvany
Communicator
‎08-16-2017 06:42 AM

Maybe you are missing a quote so the syntax isn't correct? Are both ANDs coloured?

0 Karma
Reply
Solved! Jump to solution

rvany
Communicator
‎08-15-2017 07:14 AM

Are you familiar with simple xml editing? I believe you could set different time ranges (as tokens) depending on the time picker setting. These tokens you could use in your search in place of date-range B or C.

0 Karma
Reply
Solved! Jump to solution

DrRich
Explorer
‎08-16-2017 06:33 AM

I have looked at this but it won't work for my use case as I am passing the query to Splunk via the js stack from a third party application. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...