Reporting

How to overwrite earliest/latest time during search for saved search?

agoyal
Builder

Hi,

I am looking for changing earliest/latest time during search for saved searches. It's working for normal search query but not for savedsearch. Is this expected ?

Is there a way to override time for savedsearch ? For my searchquery I am getting earliest/latest time from another file generated dynamically. so can't use timepicker.

Case 1: Override of earliest/latest time doen't work for saved search.
alt text

Case 2 : Override of earliest/latest time works for normal search query.
alt text

Labels (1)
0 Karma

althomas
Communicator

There is a way to achieve this, but your savedsearch has to cater for it. You can't amend the savedsearch timespan by just putting earliest= latest= in the command properties -- that doesn't work. You have to provide the data as variables to the savedsearch.

Here is a savedsearch I have created called "Makeresults Show Times"

 

index=_internal earliest=$etime$ latest=$ltime$
| head 1
| addinfo
| convert ctime(info_min_time) as earliest_time ctime(info_max_time) as latest_time timeformat="%d/%m/%Y %H:%M:%S"
| table earliest_time latest_time

 

You can then pass the variables etime and ltime to the search to override the time selection, such as:

 

| savedsearch "Makeresults Show Times" etime=-15m ltime=now

 

This will then produce the correct data that you are looking for

That said, it will also break the report when it is referenced not using the etime and ltime variables -- so you would have to make a report that would only cater for this singular use case and for no others, which seems like it would introduce duplication of effort.

So it is possible, just not very practical.

0 Karma

nickhills
Ultra Champion

A saved search has a defined time window which is configured when you build the original search, this timeframe is used when the search is executed.

You cant pass earliest/latest to the savedsearch command because you are recalling events with a predeterimined window.
Notice that that parameters have not formatted as green when passed to the saved search, but they do for the normal search.

If you are using the saved search to recall a complex search query, consider using a macro instead.

If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...