Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to set up an Adhoc search for ITSI Glass table with an earliest time older than 2 days ago?

RussSmith
Explorer
‎03-12-2018 07:51 AM

Hi

I'm after some help on how to set up an adhoc search which displays to an ITSI Glass-table...
We've developed a number of dashboards which show the status of jobs, how many times they've run this period (normally each day) and what time they started and finished. This works great for jobs that are running daily.

We have 1 specific job that only runs if a file is present - typically that's only once or twice month. I want to use an adhoc search which shows us the date/time that it was last run - for a time window of the previous 31 days. This works great if the job has run in the past 2 days, but the Glass-table editor doesn't allow me to change the "earliest time" to anything other more than "2 days ago" - meaning that the dashboard displays a N/A.

If I manually run the search I get an option to extend the time-frame to the last 1 month, and the search works fine (today is 12th March, the job last ran on 09th March - which the manual search shows).

Is there a way of changing the "earliest time" on the Glass-Table to a longer time-frame that 2 days so we can display this info?

This is the search we are using (works fine manually): 

index=mail" " "started"
|  stats latest(_time) as _time 
|  eval last_processed_at="Last Run:" .
 strftime(_time, "%d/%m/%y, %H:%M") 
|  table last_processed_at

This is the option that is presented on Glass-table editor:
alt text

Preview file
1 KB
0 Karma
Reply

kevinab9gt
New Member
‎04-28-2020 05:50 AM

If you are still having an issue with this, just as ansif said add earliest=-2d to your search, recommend like:
index=mail" " "started" earliest=-2d
The number minus (-) is backwards, the 2 can be any number, the d specifies days, if you want from the beginning of the day add @d (-2d@d), otherwise it is days ago from the current time.

0 Karma
Reply

ansif
Motivator
‎03-16-2018 02:00 AM

Is there any challenge to specify time modifiers in search.

Like,earliest=-2d

And one more suggestion is to upgrade ITSI which is very easy to upgrade.

0 Karma
Reply

p_gurav
Champion
‎03-13-2018 02:02 AM

Hi,

I don't think there is such limit. Which version of the app you are using?

0 Karma
Reply

RussSmith
Explorer
‎03-13-2018 02:07 AM

Hi
We are using 6.6.3

0 Karma
Reply

p_gurav
Champion
‎03-13-2018 02:15 AM

I mean ITSI version?

0 Karma
Reply

RussSmith
Explorer
‎03-13-2018 02:38 AM

Sorry -
Current Application: IT Service Intelligence
App Version 2.6.1
App Build- 436798497

0 Karma
Reply
Get Updates on the Splunk Community!

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...

Observability Cloud | AWS PrivateLink Enabled for Splunk Observability Cloud

We’ve enabled AWS PrivateLink for Observability Cloud, giving you an additional inbound connection to send ...

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...