Dashboards & Visualizations

How to I specify and earliest/latest search relative to the global time range selector?

kkanand
Explorer

How to I specify and earliest/latest search relative to the global time range selector.

So if I choose 9/22/2022 in the global time range selector.

I want my search to search from

2am to 3pm on that day.

When I specify earliest=@d+2h latests=@d+15h this completely overrides the global time selector and I get current time instead for the date from the global time range selector.

Labels (1)
0 Karma

kkanand
Explorer

Above didnt work
index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat" | fields o_p_name   | table _time o_p_name 





time window 

 (2:30 AM - 3 PM)

 (3 PM - 11 PM)







0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
<your search> [| makeresults
  | addinfo
  | eval earliest=relative_time(info_min_time,"@d+2h")
  | eval latest=relative_time(info_min_time,"@d+15h")
  | fields earliest latest]
0 Karma

kkanand
Explorer

Above didnt work
index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat" | fields o_p_name   | table _time o_p_name 





time window 

 (2:30 AM - 3 PM)

 (3 PM - 11 PM)

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What are you saying here? You don't appear to have included my suggestion and your requirement appears to have changed (with different time windows)!

index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat"  [| makeresults
  | addinfo
  | eval earliest=relative_time(info_min_time,"@d+2h+30m")
  | eval latest=relative_time(info_min_time,"@d+15h")
  | fields earliest latest]
| fields o_p_name   | table _time o_p_name
0 Karma

kkanand
Explorer

I am sorry. I forgot to write more on that.
I was using the above query in 2 different panels for 2 different time windows.

Panel 1.  2.30 am to 3 pm    -    Specified Custom time > Advanced > Earliest = @d+8h+30m    and Latest = @d+21h

Panel 2. 3pm to 11pm -  Specified Custom time > Advanced > Earliest > @d+15h and Latest = @d+23h

And the data is not showing up properly with this query.

Can you please suggest the changes needed

Thank you

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

One panel uses the query like this

index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat"  [| makeresults
  | addinfo
  | eval earliest=relative_time(info_min_time,"@d+2h+30m")
  | eval latest=relative_time(info_min_time,"@d+15h")
  | fields earliest latest]
| fields o_p_name   | table _time o_p_name

The other panel uses the query like this

index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat"  [| makeresults
  | addinfo
  | eval earliest=relative_time(info_min_time,"@d+15h")
  | eval latest=relative_time(info_min_time,"@d+23h")
  | fields earliest latest]
| fields o_p_name   | table _time o_p_name

Both panels use the global time picker

0 Karma

kkanand
Explorer

You have reached the limit for number of private messages that you can send for now. Please try again later.

I am getting error.
--------------------------------------------------------
I added the new query you sent 

But the data is not coming up.

-----------------------------------------------------------

Can you PM your email id then I can reply to that

0 Karma

johnhuang
Motivator

Extract the hour (00, 01, 02, .., 24) from time and filter by it.

 

| eval evt_hour=strftime(_time, "%H") 
| where evt_hour>=2 AND evt_hour<=15

 

0 Karma

kkanand
Explorer

Above didnt work
index=openshift_abc-ddx "Completed building" file_type=AAA_BBB_CCC openshift_deployment_labels="app=cc-dd" openshift_namespace="dddf0-ddf-uat" | fields o_p_name   | table _time o_p_name 


time window 

 (2:30 AM - 3 PM)

 (3 PM - 11 PM)

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...