Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to I specify and earliest/latest search relative to the global time range selector?

kkanand
Explorer
‎09-23-2022 09:54 AM

How to I specify and earliest/latest search relative to the global time range selector.

So if I choose 9/22/2022 in the global time range selector.

I want my search to search from

2am to 3pm on that day.

When I specify earliest=@d+2h latests=@d+15h this completely overrides the global time selector and I get current time instead for the date from the global time range selector.

Labels (1)
Labels
0 Karma
Reply

kkanand
Explorer
‎09-26-2022 03:28 PM

Above didnt work
index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat" | fields o_p_name   | table _time o_p_name 





time window 

 (2:30 AM - 3 PM)

 (3 PM - 11 PM)







0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-25-2022 02:34 AM 
<your search> [| makeresults
  | addinfo
  | eval earliest=relative_time(info_min_time,"@d+2h")
  | eval latest=relative_time(info_min_time,"@d+15h")
  | fields earliest latest]
0 Karma
Reply

kkanand
Explorer
‎09-26-2022 03:31 PM

Above didnt work
index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat" | fields o_p_name   | table _time o_p_name 





time window 

 (2:30 AM - 3 PM)

 (3 PM - 11 PM)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-27-2022 01:19 AM

What are you saying here? You don't appear to have included my suggestion and your requirement appears to have changed (with different time windows)!

index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat"  [| makeresults
  | addinfo
  | eval earliest=relative_time(info_min_time,"@d+2h+30m")
  | eval latest=relative_time(info_min_time,"@d+15h")
  | fields earliest latest]
| fields o_p_name   | table _time o_p_name
0 Karma
Reply

kkanand
Explorer
‎09-27-2022 06:23 AM

I am sorry. I forgot to write more on that.
I was using the above query in 2 different panels for 2 different time windows.

Panel 1.  2.30 am to 3 pm    -    Specified Custom time > Advanced > Earliest = @d+8h+30m    and Latest = @d+21h

Panel 2. 3pm to 11pm -  Specified Custom time > Advanced > Earliest > @d+15h and Latest = @d+23h

And the data is not showing up properly with this query.

Can you please suggest the changes needed

Thank you

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-27-2022 06:32 AM

One panel uses the query like this

index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat"  [| makeresults
  | addinfo
  | eval earliest=relative_time(info_min_time,"@d+2h+30m")
  | eval latest=relative_time(info_min_time,"@d+15h")
  | fields earliest latest]
| fields o_p_name   | table _time o_p_name

The other panel uses the query like this

index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat"  [| makeresults
  | addinfo
  | eval earliest=relative_time(info_min_time,"@d+15h")
  | eval latest=relative_time(info_min_time,"@d+23h")
  | fields earliest latest]
| fields o_p_name   | table _time o_p_name

Both panels use the global time picker

0 Karma
Reply

kkanand
Explorer
‎09-28-2022 02:38 PM

You have reached the limit for number of private messages that you can send for now. Please try again later.

I am getting error.
--------------------------------------------------------
I added the new query you sent 

But the data is not coming up.

-----------------------------------------------------------

Can you PM your email id then I can reply to that

0 Karma
Reply

johnhuang
Motivator
‎09-23-2022 11:07 AM

Extract the hour (00, 01, 02, .., 24) from time and filter by it.

 

| eval evt_hour=strftime(_time, "%H") 
| where evt_hour>=2 AND evt_hour<=15

 

0 Karma
Reply

kkanand
Explorer
‎09-26-2022 03:30 PM

Above didnt work
index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat" | fields o_p_name   | table _time o_p_name 

time window 

 (2:30 AM - 3 PM)

 (3 PM - 11 PM)

0 Karma
Reply
Get Updates on the Splunk Community!

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...