Splunk IT Service Intelligence
Highlighted

How to set up an Adhoc search for ITSI Glass table with an earliest time older than 2 days ago?

Explorer

Hi

I'm after some help on how to set up an adhoc search which displays to an ITSI Glass-table...
We've developed a number of dashboards which show the status of jobs, how many times they've run this period (normally each day) and what time they started and finished. This works great for jobs that are running daily.

We have 1 specific job that only runs if a file is present - typically that's only once or twice month. I want to use an adhoc search which shows us the date/time that it was last run - for a time window of the previous 31 days. This works great if the job has run in the past 2 days, but the Glass-table editor doesn't allow me to change the "earliest time" to anything other more than "2 days ago" - meaning that the dashboard displays a N/A.

If I manually run the search I get an option to extend the time-frame to the last 1 month, and the search works fine (today is 12th March, the job last ran on 09th March - which the manual search shows).

Is there a way of changing the "earliest time" on the Glass-Table to a longer time-frame that 2 days so we can display this info?

This is the search we are using (works fine manually):

index=mail" " "started"
|  stats latest(_time) as _time 
|  eval last_processed_at="Last Run:" .
 strftime(_time, "%d/%m/%y, %H:%M") 
|  table last_processed_at

This is the option that is presented on Glass-table editor:
alt text

0 Karma
Highlighted

Re: How to set up an Adhoc search for ITSI Glass table with an earliest time older than 2 days ago?

Champion

Hi,

I don't think there is such limit. Which version of the app you are using?

0 Karma
Highlighted

Re: How to set up an Adhoc search for ITSI Glass table with an earliest time older than 2 days ago?

Explorer

Hi
We are using 6.6.3

0 Karma
Highlighted

Re: How to set up an Adhoc search for ITSI Glass table with an earliest time older than 2 days ago?

Champion

I mean ITSI version?

0 Karma
Highlighted

Re: How to set up an Adhoc search for ITSI Glass table with an earliest time older than 2 days ago?

Explorer

Sorry -
Current Application: IT Service Intelligence
App Version 2.6.1
App Build- 436798497

0 Karma
Highlighted

Re: How to set up an Adhoc search for ITSI Glass table with an earliest time older than 2 days ago?

Motivator

Is there any challenge to specify time modifiers in search.

Like,earliest=-2d

And one more suggestion is to upgrade ITSI which is very easy to upgrade.

0 Karma
Highlighted

Re: How to set up an Adhoc search for ITSI Glass table with an earliest time older than 2 days ago?

New Member

If you are still having an issue with this, just as ansif said add earliest=-2d to your search, recommend like:
index=mail" " "started" earliest=-2d
The number minus (-) is backwards, the 2 can be any number, the d specifies days, if you want from the beginning of the day add @d (-2d@d), otherwise it is days ago from the current time.

0 Karma