Monitoring Splunk

How does the addinfo command work with time?

Esky73
Builder

The new fields that are created when using the addinfo cmd

info_min_time The earliest time boundary for the search.
info_max_time The latest time boundary for the search.

How are they calculated ?

I've used the Example 2 as detailed here to create a search : http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Addinfo

Looking to find more info as to what the new created fields do.

thx

0 Karma

niketn
Legend

@Esky73, | addinfo command adds search related metadata info to the search results so that the same can be reused. I think the documentation is fairly detailed as to what each for the info_* fields do

info_min_time         : Earliest time selected for the search you ran (this would be the earliest time from the Time Picker that you run or else if you have used `earliest` parameter in the base search) 

info_max_time         : Latest time selected for the search you ran (this would be the latest time from the Time Picker that you run or else if you have used `latest` parameter in the base search)

info_sid              : The Search ID of the search job that generated the event/s. This will help you re-run the search or pull the results from the search using this ID. (REST endpoints reference are listed here: http://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches#REST_endpoints_for_searches)

info_search_time      : The time when the Search job was executed. This would be the same as info_max_time when your latest time is `now()` or `@s`

If you want to see these values and understand how they work you can change the second query in the addinfo reference documentation like the following and re-run the search with different Time ranges:

<YourBaseSearch>
| stats latest(_time) AS latest_time BY host
| addinfo
| fieldformat latest_time=strftime(latest_time,"%c")
| fieldformat info_min_time=strftime(info_min_time,"%c")
| fieldformat info_max_time=strftime(info_max_time,"%c")
| fieldformat info_search_time=strftime(info_search_time,"%c")
| table host latest info_*

Actually in the query the pipe | eval latest_age = info_max_time - latest_time, is used to calculate theage of last event received per host, using latest event received per host (i.e. latest_time) by subtracting it from latest time which is being seen usinglatest from the time range picker` (i.e. info_max_time). Let us know if you require further details.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...