When you search with "All Time" the timeline snaps to the earliest and latest event times. Is there a way to create a custom time-range relative the earliest/latest event time?
e.g. Earliest: LastEvent-1d Latest: LastEvent
Why this came up: We are introducing Splunk to a partner of ours and we have set up an indexer and search head for them. But they don't want to install forwarders on their production systems yet because they're just checking it out so far. So we just uploaded some chunks of their log files. In a real deployment situation where the data was coming in in real-time, we could just set the search time range for dashboards to 'Earliest: -1d Latest: ", but because there is only a chunk of files we only get a few hours worth of data from the previous 24 hours. So we were curious about whether we could set up custom time ranges relative to the times of the latest event to get a graph of the data from 1day before the latest event.
(Note: Not urgent. We adjusted the time range to where we get some pretty graphs for them to check out. We just got curious.)
Well, you don't know the latest time without doing a search first, so you need a subsearch to determine the time of the most recent event. Once you do that, it's pretty straightforward to pull out the time and insert it into the search query (via subsearch). There are a couple of ways. Most general:
"searchterm1" "term2" [ search "searchterm1" "term2" | head 1 | eval earliest=relative_time(_time,"-1d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ]
If you have a specific sourcetype, it might (or might not) be slightly more efficient to:
sourcetype=mysourcetype [ metadata type=sourcetypes | where sourcetype=mysourcetype | eval earliest=relative_time(lastTime,"-1d") | eval latest=lastTime | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ]
(You could of course do similarly for a specific source or host.)
Well, you don't know the latest time without doing a search first, so you need a subsearch to determine the time of the most recent event. Once you do that, it's pretty straightforward to pull out the time and insert it into the search query (via subsearch). There are a couple of ways. Most general:
"searchterm1" "term2" [ search "searchterm1" "term2" | head 1 | eval earliest=relative_time(_time,"-1d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ]
If you have a specific sourcetype, it might (or might not) be slightly more efficient to:
sourcetype=mysourcetype [ metadata type=sourcetypes | where sourcetype=mysourcetype | eval earliest=relative_time(lastTime,"-1d") | eval latest=lastTime | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ]
(You could of course do similarly for a specific source or host.)
Yes. I have corrected the searches, but basically there is a special case with time modifiers in subsearches, so you have to add | format "(" "(" "" ")" "OR" ")"
to the subsearch results.
Hi guys,
Do you know if this solution still works with Splunk 4.2.1? I'm trying to use the above search but I get the following error every time:
"Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side."
Here's the search I'm using:
index=prod sourcetype=odr [search index=prod sourcetype=odr | head 1 | eval earliest=relative_time(_time,"-1d") | eval latest=_time | fields earliest, latest]
If I run the subsearch as a normal search the earliest & latest fields get returned correctly, but when it's a subsearch it errors out.
Cheers.