Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to I specify and earliest/latest search relative to the global time range selector?

kkanand
Explorer
‎09-23-2022 09:54 AM

How to I specify and earliest/latest search relative to the global time range selector.

So if I choose 9/22/2022 in the global time range selector.

I want my search to search from

2am to 3pm on that day.

When I specify earliest=@d+2h latests=@d+15h this completely overrides the global time selector and I get current time instead for the date from the global time range selector.

Labels (1)
Labels
0 Karma
Reply

kkanand
Explorer
‎09-26-2022 03:28 PM

Above didnt work
index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat" | fields o_p_name   | table _time o_p_name 





time window 

 (2:30 AM - 3 PM)

 (3 PM - 11 PM)







0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-25-2022 02:34 AM 
<your search> [| makeresults
  | addinfo
  | eval earliest=relative_time(info_min_time,"@d+2h")
  | eval latest=relative_time(info_min_time,"@d+15h")
  | fields earliest latest]
0 Karma
Reply

kkanand
Explorer
‎09-26-2022 03:31 PM

Above didnt work
index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat" | fields o_p_name   | table _time o_p_name 





time window 

 (2:30 AM - 3 PM)

 (3 PM - 11 PM)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-27-2022 01:19 AM

What are you saying here? You don't appear to have included my suggestion and your requirement appears to have changed (with different time windows)!

index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat"  [| makeresults
  | addinfo
  | eval earliest=relative_time(info_min_time,"@d+2h+30m")
  | eval latest=relative_time(info_min_time,"@d+15h")
  | fields earliest latest]
| fields o_p_name   | table _time o_p_name
0 Karma
Reply

kkanand
Explorer
‎09-27-2022 06:23 AM

I am sorry. I forgot to write more on that.
I was using the above query in 2 different panels for 2 different time windows.

Panel 1.  2.30 am to 3 pm    -    Specified Custom time > Advanced > Earliest = @d+8h+30m    and Latest = @d+21h

Panel 2. 3pm to 11pm -  Specified Custom time > Advanced > Earliest > @d+15h and Latest = @d+23h

And the data is not showing up properly with this query.

Can you please suggest the changes needed

Thank you

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-27-2022 06:32 AM

One panel uses the query like this

index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat"  [| makeresults
  | addinfo
  | eval earliest=relative_time(info_min_time,"@d+2h+30m")
  | eval latest=relative_time(info_min_time,"@d+15h")
  | fields earliest latest]
| fields o_p_name   | table _time o_p_name

The other panel uses the query like this

index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat"  [| makeresults
  | addinfo
  | eval earliest=relative_time(info_min_time,"@d+15h")
  | eval latest=relative_time(info_min_time,"@d+23h")
  | fields earliest latest]
| fields o_p_name   | table _time o_p_name

Both panels use the global time picker

0 Karma
Reply

kkanand
Explorer
‎09-28-2022 02:38 PM

You have reached the limit for number of private messages that you can send for now. Please try again later.

I am getting error.
--------------------------------------------------------
I added the new query you sent 

But the data is not coming up.

-----------------------------------------------------------

Can you PM your email id then I can reply to that

0 Karma
Reply

johnhuang
Motivator
‎09-23-2022 11:07 AM

Extract the hour (00, 01, 02, .., 24) from time and filter by it.

 

| eval evt_hour=strftime(_time, "%H") 
| where evt_hour>=2 AND evt_hour<=15

 

0 Karma
Reply

kkanand
Explorer
‎09-26-2022 03:30 PM

Above didnt work
index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat" | fields o_p_name   | table _time o_p_name 

time window 

 (2:30 AM - 3 PM)

 (3 PM - 11 PM)

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...