Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

to read the first previous event out of the selected time range

spisiakmi
Contributor
‎08-27-2025 09:19 AM

Hi, can anybody help, please?

Here the status quo:

In the Dashboard there is time picker object.

selected time range: 2025.08.25 07:00:00 - 2025.08.25 22:00:00 (it can be universall picked with the user)

goal: to have a pie chart, where the duration of several signals (state) in selected time range is displayed.

simple query:

| sort Zeitstempel
| delta Zeitstempel as dlt
| table Zeitstempel, Zeit, state, dlt

results:

spisiakmi_0-1756310779216.png

pie chart code something like this:
| eval dlt=abs(dlt)
| stats sum(dlt) as Status by state

Problem:
The start of the time range is 2025.08.25 07:00:00. The first event comes at 2025.08.25 07:44:15. Is there a possibility to catch somehow the information about the event before 2025.08.25 07:00:00, to catch the state and to calculated the duration of this state in the range 2025.08.25 07:00:00-2025.08.25 07:44:15?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎08-27-2025 01:35 PM

There is no way to find something outside the search time range. So you must either extend the time range (but if you don't know how much, that's gonna be problematic) and just drop the values "before" or capture the state from a previous run of the search over another time range into a lookup or summary index.

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎08-27-2025 01:35 PM

There is no way to find something outside the search time range. So you must either extend the time range (but if you don't know how much, that's gonna be problematic) and just drop the values "before" or capture the state from a previous run of the search over another time range into a lookup or summary index.

Reply
Solved! Jump to solution

spisiakmi
Contributor
‎08-28-2025 12:56 AM

Hi PickleRick, I had an idea with the summary index, just wanted to know, if there is anything better. Nothing better. So I've choosen the summary index with a specific prev_fields definition.

| streamstats current=f window=1 last(state) as prev_state, last(Zeitstempel) as prev_Zeitstempel
If I index in summary index the prev_state and prev_Zeitstempel I have better position to calculate the duration in universall picked time range. The dashboard should only use the summary index as a source of the data.

PickleRick, as you mentioned summary index, I mark your msg as a solution. Thank you.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-27-2025 12:58 PM

Hi @spisiakmi ,

this is always the problem analyzing a transaction.

The only way is to define a larger period and eventually restrict the starting events.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Contributor
‎08-28-2025 12:47 AM

Hi gcusello, thank you very much for your msg.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2025 12:59 AM

Hi @spisiakmi ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎08-27-2025 12:57 PM

Hi @spisiakmi 

Its hard to say completely without the full picture/SPL however perhaps you could append a query which looks at latest<$yourEarliestTimeToken$ (e.g. latest<2025.08.25 07:00:00) and then use | head 1 to get the last event. There may be other ways to make this more performant but this could be a good place to start.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

spisiakmi
Contributor
‎08-28-2025 12:48 AM

Hi livehybrid,

thank you very much for your msg. Yes, in subsearch | head 1 is the option. But for me very complicated and not universall (search time in the past).

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...