Splunk Dev

Time-modifiers relative to the time-picker

DrRich
Explorer

I have a Splunk query that returns 3 event types. I'd like the "Start" type events to be set by the time-picker and I'd like the "Stop" and "Portal" events to be driven by the time-picker plus or minus 2 days at each end. For example, if I choose the 2nd Aug for "Start" events I'd like to return the 1st to 3rd August for "Stop" and "Portal" events. Any ideas?

Thanks in advance.

 index=50 (type="Start" AND termination_cause!="Resumed" {date range A}) 
   OR (type="Stop" AND termination_cause!="Suspect-Logout" {date-range B}) 
   OR (type="Portal" view="PortalView_Process_*" {date range C})
0 Karma
1 Solution

DrRich
Explorer

I've made some progress and I've now got the script to run (see below) but the output isn't what I was expecting. It appears that the time picker is overriding the time ranges set for the "Stop" and "Portal" events, so if I select yesterday (15th Aug) only events that occurred on the 15th for all three types are returned. I've also included a screenshot of the output. Any Ideas?

Thanks

alt text

index=50 (type="Start" AND termination_cause!="Resumed") 
     OR (type="Stop" AND termination_cause!="Suspect-Logout" [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-2d@d") | eval latest=relative_time(info_min_time,"+2d@d") | table earliest latest | format "" "" "" "" "" ""]) 
     OR (type="Portal" view="PortalView_Process_*" [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-2d@d") | eval latest=relative_time(info_min_time,"+2d@d") | table earliest latest | format "" "" "" "" "" ""])
  | eval session_start_time_unix=if(type="Start",_time,"")
  | eval session_stop_time_unix=if(type="Stop",_time,"")
  | eval session_portal_time_unix=if(type="Portal",_time,"")
  | eval session_start_time=strftime(session_start_time_unix,"%Y/%m/%d %H:%M:%S")
  | eval session_stop_time=strftime(session_stop_time_unix,"%Y/%m/%d %H:%M:%S")
  | eval session_portal_time=strftime(session_portal_time_unix,"%Y/%m/%d %H:%M:%S")
  | stats min(session_start_time) as earliest_start_time, max(session_start_time) as latest_start_time, min(session_stop_time) as earliest_stop_time, max(session_stop_time) as latest_stop_time, min(session_portal_time) as earliest_portal_time, max(session_portal_time) as latest_portal_time

View solution in original post

0 Karma

DrRich
Explorer

I've made some progress and I've now got the script to run (see below) but the output isn't what I was expecting. It appears that the time picker is overriding the time ranges set for the "Stop" and "Portal" events, so if I select yesterday (15th Aug) only events that occurred on the 15th for all three types are returned. I've also included a screenshot of the output. Any Ideas?

Thanks

alt text

index=50 (type="Start" AND termination_cause!="Resumed") 
     OR (type="Stop" AND termination_cause!="Suspect-Logout" [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-2d@d") | eval latest=relative_time(info_min_time,"+2d@d") | table earliest latest | format "" "" "" "" "" ""]) 
     OR (type="Portal" view="PortalView_Process_*" [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-2d@d") | eval latest=relative_time(info_min_time,"+2d@d") | table earliest latest | format "" "" "" "" "" ""])
  | eval session_start_time_unix=if(type="Start",_time,"")
  | eval session_stop_time_unix=if(type="Stop",_time,"")
  | eval session_portal_time_unix=if(type="Portal",_time,"")
  | eval session_start_time=strftime(session_start_time_unix,"%Y/%m/%d %H:%M:%S")
  | eval session_stop_time=strftime(session_stop_time_unix,"%Y/%m/%d %H:%M:%S")
  | eval session_portal_time=strftime(session_portal_time_unix,"%Y/%m/%d %H:%M:%S")
  | stats min(session_start_time) as earliest_start_time, max(session_start_time) as latest_start_time, min(session_stop_time) as earliest_stop_time, max(session_stop_time) as latest_stop_time, min(session_portal_time) as earliest_portal_time, max(session_portal_time) as latest_portal_time
0 Karma

rvany
Communicator

Just some kind off feedback - I tried a partial search taken from your current one:

index=syslogs [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-2d@d") | eval latest=relative_time(info_min_time,"+2d@d") | table earliest latest | format "" "" "" "" "" ""]

This works as expected. I tried as a normal search and also as a report.

BTW [OT]: could you tell me how to format code with line numbers?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this
*Updated (added format command to resolve search time error) *

index=50 (type="Start" AND termination_cause!="Resumed") 
    OR (type="Stop" AND termination_cause!="Suspect-Logout" [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-2d@d") | eval latest=relative_time(info_min_time,"+2d@d") | table earliest latest | format "" "" "" "" "" ""]) 
    OR (type="Portal" view="PortalView_Process_*" [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-2d@d") | eval latest=relative_time(info_min_time,"+2d@d") | table earliest latest  | format "" "" "" "" "" ""])
0 Karma

DrRich
Explorer

Thanks for this. I seem to be getting an error when I try and run this search it says:

Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side.

Am I missing something?

Thanks in advance

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try the updated answer.

0 Karma

DrRich
Explorer

Thanks for this, it now runs but the time picker is overriding the time ranges set for the "Stop" and "Portal" events, so if I select yesterday (15th Aug) only events that occurred on the 15th for all three types are returned (see my update below). Any ideas as I'm out of them now. Thanks

0 Karma

rvany
Communicator

Maybe you are missing a quote so the syntax isn't correct? Are both ANDs coloured?

0 Karma

rvany
Communicator

Are you familiar with simple xml editing? I believe you could set different time ranges (as tokens) depending on the time picker setting. These tokens you could use in your search in place of date-range B or C.

0 Karma

DrRich
Explorer

I have looked at this but it won't work for my use case as I am passing the query to Splunk via the js stack from a third party application. Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...