Reporting

Adjusting earliest/latest for both main search and sub-search

yyossef
Explorer

Hi,

I am encountering difficulty running different time range for main search and sub-search at the same time, while the time string is been received (ltime) from a savesearch.

attached are the savesearch i am running, and also the report wich is run by the savesearch.

savedsearch:
| savedsearch ltime="09/09/2017 22:00:00"

reportname:
index=GroupA latest=$ltime$ earliest=$ltime$-30m [ search index=GroupB earliest=$ltime$-7d latest=$ltime$ | table IP ] | stats latest(STATE) by IP

I would like to receive the latest time from a savedsearch and base on that, calculate the earliest/last parameter for both main search and sub-search.

I would appreciate Any advice , thanks!

aholzer
Motivator

Modifying time tokens is a little tricky, here's a link to another Splunk answers question that has a working solution to your problem.

Hope this helps

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...