Solved: Re: Custom Time range based on most recent event t...

gpburgett · ‎12-28-2010

When you search with "All Time" the timeline snaps to the earliest and latest event times. Is there a way to create a custom time-range relative the earliest/latest event time?

e.g. Earliest: LastEvent-1d      Latest: LastEvent

Why this came up: We are introducing Splunk to a partner of ours and we have set up an indexer and search head for them. But they don't want to install forwarders on their production systems yet because they're just checking it out so far. So we just uploaded some chunks of their log files. In a real deployment situation where the data was coming in in real-time, we could just set the search time range for dashboards to 'Earliest: -1d Latest: ", but because there is only a chunk of files we only get a few hours worth of data from the previous 24 hours. So we were curious about whether we could set up custom time ranges relative to the times of the latest event to get a graph of the data from 1day before the latest event.

(Note: Not urgent. We adjusted the time range to where we get some pretty graphs for them to check out. We just got curious.)

gkanapathy · ‎12-28-2010

Well, you don't know the latest time without doing a search first, so you need a subsearch to determine the time of the most recent event. Once you do that, it's pretty straightforward to pull out the time and insert it into the search query (via subsearch). There are a couple of ways. Most general:

"searchterm1" "term2" [ search "searchterm1" "term2" | head 1 | eval earliest=relative_time(_time,"-1d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ]

If you have a specific sourcetype, it might (or might not) be slightly more efficient to:

sourcetype=mysourcetype [ metadata type=sourcetypes | where sourcetype=mysourcetype | eval earliest=relative_time(lastTime,"-1d") | eval latest=lastTime | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ]

(You could of course do similarly for a specific source or host.)

View solution in original post

gkanapathy · ‎12-28-2010

Well, you don't know the latest time without doing a search first, so you need a subsearch to determine the time of the most recent event. Once you do that, it's pretty straightforward to pull out the time and insert it into the search query (via subsearch). There are a couple of ways. Most general:

"searchterm1" "term2" [ search "searchterm1" "term2" | head 1 | eval earliest=relative_time(_time,"-1d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ]

If you have a specific sourcetype, it might (or might not) be slightly more efficient to:

sourcetype=mysourcetype [ metadata type=sourcetypes | where sourcetype=mysourcetype | eval earliest=relative_time(lastTime,"-1d") | eval latest=lastTime | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ]

(You could of course do similarly for a specific source or host.)

gkanapathy · ‎10-17-2011

Yes. I have corrected the searches, but basically there is a special case with time modifiers in subsearches, so you have to add | format "(" "(" "" ")" "OR" ")" to the subsearch results.

herbie · ‎10-16-2011

Hi guys,
Do you know if this solution still works with Splunk 4.2.1? I'm trying to use the above search but I get the following error every time:
"Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side."

Here's the search I'm using:

index=prod sourcetype=odr [search index=prod sourcetype=odr | head 1 | eval earliest=relative_time(_time,"-1d") | eval latest=_time | fields earliest, latest]

If I run the subsearch as a normal search the earliest & latest fields get returned correctly, but when it's a subsearch it errors out.

Cheers.

Custom Time range based on most recent event time

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM