Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use two time ranges in one search

anuremanan88
Explorer
‎10-05-2017 01:41 PM

Hi I am trying to search for two event types each in different time range. Here i am using time token. The eventtypes are "Password Change" and "Login". When i apply search for last 4 hrs, my query should search "password change" event for last 4 hrs and "login" event for last 8hrs. Similarly when i change the time filter my query should change accordingly.

index=new (EventType="Password Change" earliest=$token.earliest$ latest=$token.earliest$) OR (EventType="Login" earliest=$token.earliest$-4h latest=$token.earliest$) | remaining query

Anyone can help me in this?

0 Karma
Reply

cmerriman
Super Champion
‎10-06-2017 05:13 AM

try this:

index=new (EventType="Password Change" earliest=$earliest.earliest$) OR (EventType="Login" earliest=$earliest.earliest$-4h latest=$earliest.earliest$)

to see the token for earliest, use <form script="showtokens.js"> at the top of the source code. when i was testing it, my earliest was $earliest.earliest$, not $token.earliest$. You don't need to put a latest in your first search, if you're looking for the last four hours. if you do want a latest, perhaps use latest=$earliest.earliest$+4h

<form script="showtokens.js">
  <label>testdash</label>
  <fieldset submitButton="true">
    <input type="time" token="earliest">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=myindex (sourcetype=mysource1 earliest=$earliest.earliest$) OR (sourcetype=mysource2 earliest=$earliest.earliest$-4h latest=$earliest.earliest$)|stats earliest(_time) latest(_time) by sourcetype</query>
          <earliest>-4h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

anuremanan88
Explorer
‎10-06-2017 06:40 AM

Hi ,

Thank You for your inputs. This worked when i use relative time as input. However when i give Date and time range as input. i am getting the below error

Invalid value "1506657600-4h" for time term 'earliest'

Hoe to fix this?

0 Karma
Reply

niketn
Legend
‎10-06-2017 06:45 AM

@ anuremanan88, Try $earliest.earliest$-14400 instead of $earliest.earliest$-4h

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

anuremanan88
Explorer
‎10-06-2017 07:04 AM

It gives the same result " Invalid value "1506657600-14400" for time term 'earliest' "

0 Karma
Reply

niketn
Legend
‎10-05-2017 11:35 PM

@anuremanan88, I think you need to use sub-searches for two different EventType with specific timerange using earliest and latest. You can use append, join, multisearch or union command based on your use case(search type). Refer to the following documentation for deciding your option/s:

http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Union

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...