Other Usage

How to overwrite earliest/latest time during search for saved search?



I am looking for changing earliest/latest time during search for saved searches. It's working for normal search query but not for savedsearch. Is this expected ?

Is there a way to override time for savedsearch ? For my searchquery I am getting earliest/latest time from another file generated dynamically. so can't use timepicker.

Case 1: Override of earliest/latest time doen't work for saved search.
alt text

Case 2 : Override of earliest/latest time works for normal search query.
alt text

Labels (1)
0 Karma


There is a way to achieve this, but your savedsearch has to cater for it. You can't amend the savedsearch timespan by just putting earliest= latest= in the command properties -- that doesn't work. You have to provide the data as variables to the savedsearch.

Here is a savedsearch I have created called "Makeresults Show Times"


index=_internal earliest=$etime$ latest=$ltime$
| head 1
| addinfo
| convert ctime(info_min_time) as earliest_time ctime(info_max_time) as latest_time timeformat="%d/%m/%Y %H:%M:%S"
| table earliest_time latest_time


You can then pass the variables etime and ltime to the search to override the time selection, such as:


| savedsearch "Makeresults Show Times" etime=-15m ltime=now


This will then produce the correct data that you are looking for

That said, it will also break the report when it is referenced not using the etime and ltime variables -- so you would have to make a report that would only cater for this singular use case and for no others, which seems like it would introduce duplication of effort.

So it is possible, just not very practical.

0 Karma

Ultra Champion

A saved search has a defined time window which is configured when you build the original search, this timeframe is used when the search is executed.

You cant pass earliest/latest to the savedsearch command because you are recalling events with a predeterimined window.
Notice that that parameters have not formatted as green when passed to the saved search, but they do for the normal search.

If you are using the saved search to recall a complex search query, consider using a macro instead.

If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...