Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Does splunk have the functionality to search for earliest time base on latest time?

tamduong16
Contributor
‎11-29-2017 10:33 AM

I have a dashboard which comes with a universal time field. I want to use it for my timecharts as well. But it acts differently when my time filter is set within a specific month. It works if I select the time field as "advanced" and set the earliest to -1mon@mon and latest to @mon. I want my timecharts to compare the month in time field and the previous month. For example, if I select the time to be in the month of September then my timechart will take that month to be the latest time frame and earliest to be August. Is this possible in Splunk? Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-29-2017 04:39 PM

Hi @tamduong16,

One way of getting a relative time is to use eval's relative_time function. Lets say your universal time field is called universalTimeField, and you can access it from index=bar

index=foo
    [ search index=bar
      | head 1
      | eval earliest = relative_time(universalTimeField, "-1mon@mon")
      | return earliest ]
| search continues...

The layout would be similar if you were using a token. The basic concept is to return earliest & or latest in the subsearch, which will be passed as constraints to the outer (or main) search.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-29-2017 04:54 PM

If I understand you correctly, what you need to do is create an eval-based token assignment in the <change> section of your timepicker set to $time.earliest$-1mon@mon. Then use the new token for your earliest value and $time.earliest$ for your latest value.

Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-29-2017 04:39 PM

Hi @tamduong16,

One way of getting a relative time is to use eval's relative_time function. Lets say your universal time field is called universalTimeField, and you can access it from index=bar

index=foo
    [ search index=bar
      | head 1
      | eval earliest = relative_time(universalTimeField, "-1mon@mon")
      | return earliest ]
| search continues...

The layout would be similar if you were using a token. The basic concept is to return earliest & or latest in the subsearch, which will be passed as constraints to the outer (or main) search.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...