Re: How to search for logs 1 min before and after ...

jackjackjack · ‎08-01-2017

Ideally I'd like to create a dashboard query that searches an inputted time like "2017-08-01 09:29:28". The search then filters to show logs only 1 minute before and after the specified time.

I'm aware I can manually edit the Date & Time Range, but I'm looking to automate this due to frequent use.

How can I do this?

woodcock · ‎08-01-2017

use an eval-based token command in your XML to create an epoch-based time token and then:

index=YouShouldAlwaysSpecifyAnIndex sourcetype=YourShourctypeHere earliest=$epoch_token$-1m latest=$epoch_token$+1m other stuff here

jackjackjack · ‎08-01-2017

I received this error:

Invalid value "1501526421-1m" for time term 'earliest'

Can I subtract/add a number value from the epoch time equivalent to 60 seconds?

woodcock · ‎08-01-2017

Yes, you should be able to do that when you set the token and set 2 tokens, one with +60 and the other with -60 because it is in seconds.

jackjackjack · ‎08-01-2017

I'm unable to add/subtract from the epoch time. I have to use eval to perform basic math which won't work when declaring earliest/latest.

woodcock · ‎08-01-2017

Look at this run-anywhere example search and pattern your design similarly:

index=_* [|makeresults | eval timetoken=now() - 600 | eval search="earliest=" . (timetoken - 60) . " latest=" . (timetoken + 60) | table search]

How to search for logs 1 min before and after a specified time?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!