Solved: How to display active/selected time range?

petenetwork · ‎06-20-2018

I can create a Splunk query using earliest and latest fields, e.g.:

earliest=-7d latest=-1d index=os * |head 1

What I want is to put that calculated earliest time into a variable, e.g.

|eval StartedFrom=strftime( earliest, "%Y-%m-%d" )

... but this doesn't work.

How can I store the boundary of the search period into a variable?

UPDATE: @HiroshiSatoh provided the answer. My working query now looks like:

 |makeresults
    |addinfo
    |eval result="earliest=" . strftime(info_min_time,"%m/%d/%Y:%H:%M:%S") . " latest=" . strftime(info_max_time,"%m/%d/%Y:%H:%M:%S")
    |table result

This is extremely useful because I can put this into a dashboard and then cut-and-paste the earliest/latest modifiers into any other queries I make while narrowing into an interesting time period.

Note that because this query does not rely on any actual search a dummy value can be created by prefixing the query with |makeresults.

HiroshiSatoh · ‎06-20-2018

It can be set using addinfo command.

https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Addinfo

View solution in original post

HiroshiSatoh · ‎06-20-2018

It can be set using addinfo command.

https://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Addinfo

How to display active/selected time range?

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor