Splunk Search

Assigning a field value to "Earliest" "Latest" time modifiers

epw0rrell
Explorer

Hello, I am interested in making the results of one index search (in particular the values of fields early and late) used in a different index search as values assigned to earliest latest. 

index="a" <find a specific event>
| eval timeTOsecs=strftime(_time, "%s")
| eval early_time= timeTOsecs-300
| eval late_time= timeTOsecs+300
| eval early=strftime(early_time, "%m/%d/%Y:%H:%M:%S")
| eval late=strftime(late_time, "%m/%d/%Y:%H:%M:%S")

My next search would search for all events using the early and late values of the previous search and assign them to earliest latest.

index="b" earliest=early latest=late

Everything I have tried up to this point seems to point to "earliest" and "latest" modifiers will not allow you to assign a field value to them.  Essentially I want to perform the function that Splunk automates through its UI when it lets the user run a search on events before and after a given time. 

Screen Shot 2020-09-24 at 11.33.06 AM.png

 

Thanks for anyone that can help me and let me know if I can be clearer in explaining because sometimes it is hard to understand other people's context.

Labels (3)
Tags (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

At the end of the first query in your dashboard, you can assign values to tokens. You can then use these tokens to set the earliest and latest values for a query in another dashboard

          <query>your query to find the values you want</query>
          <earliest>your time period start</earliest>
          <latest>your time period end</latest>
          <finalized>
                    <condition match=" 'job.resultCount' != 0">
                            <set token="tok_start">$result.early$</set>
                            <set token="tok_end">$result.late$</set>
                     </condition>
                     <condition>
                            <set token="tok_start"></set>
                            <set token="tok_end"></set>
                     </condition>
          </finalized>           

View solution in original post

epw0rrell
Explorer

ITWhisperer,

You are the best!  It now works perfectly and I wish I could show you.  Thank you so very much!!

0 Karma

epw0rrell
Explorer

Thanks for your quick feedback.  I placed the code within the first dashboard and it seems to not break anything.  However, I am getting an error "waiting for input within dashboard 2.  Where exactly would the "tok_start" and "tok_end" go within the dashboard.  I tried applying them to:

<earliest>$tok_start.earliest$</earliest>
<latest>$tok_end.latest$</latest>

I also tried applying them to the fieldset portion of the Dashboard but it did not work then either.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try:

<earliest>$tok_start$</earliest>
<latest>$tok_end$</latest>

Also, you might want to set tok_start and tok_end to sensible values (rather than blanks as I suggested as I don't know what would be sensible for your query). you should do this in the change handler as well as an init block near the top of your dashboard

ITWhisperer
SplunkTrust
SplunkTrust

At the end of the first query in your dashboard, you can assign values to tokens. You can then use these tokens to set the earliest and latest values for a query in another dashboard

          <query>your query to find the values you want</query>
          <earliest>your time period start</earliest>
          <latest>your time period end</latest>
          <finalized>
                    <condition match=" 'job.resultCount' != 0">
                            <set token="tok_start">$result.early$</set>
                            <set token="tok_end">$result.late$</set>
                     </condition>
                     <condition>
                            <set token="tok_start"></set>
                            <set token="tok_end"></set>
                     </condition>
          </finalized>           
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...