Other Usage
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Overriding a time range in the saved search

osh55
Engager
‎12-19-2024 03:51 PM

For simplicity assume I have the following saved as a report (testReport):

index=testindex host=testhost earliest=-90m latest=now

I need to create 2 bar graphs in the same chart comparing two dates.  For starters I need to be able to run the above with a time I specify overrriding the time range above.

| savedsearch "testReport" earliest="12/08/2024:00:00:00" latest="12/08/2024:23:59:00"

I have seen a few similar question here but I don't think it has  a working solution. 

 

 

Tags (2)
0 Karma
Reply

osh55
Engager
‎12-19-2024 06:35 PM

I have saved the report using no time range. The report works getting results for  the last 60 minutes as expected.

My issue is when I query the testReport  I want to query with different earliest and latest times, so I can have two time ranges in the same chart.

Something like:

| savedsearch "testReport" earliest="12/08/2024:00:00:00" latest="12/08/2024:23:59:00" | table id, response_time| eval lineSource = "first_day"
| append
[| savedsearch "testReport" earliest="12/09/2024:00:00:00" latest="12/09/2024:23:59:00" | table id, response_time| eval lineSource = "second_day"]

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-20-2024 05:14 AM

The savedsearch command has a method for passing variables to the search.  That should make it possible to pass different values for earliest and latest.  See the Search Reference manual for details.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-19-2024 05:29 PM

Per the Search Reference Manual,

  • If you specify All Time in the time range picker, the savedsearch command uses the time range that was saved with the saved search.
  • If you specify any other time in the time range picker, the time range that you specify overrides the time range that was saved with the saved search.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...