Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I access the search timeframe within the search?

auntyem
Explorer
‎09-13-2012 08:44 AM

I want to get at the duration of the search timeframe within the search itself. So if I set the search to look at the previous month, I want to know within the search the length of that month (in days, hours, whatever, I can convert if I can get it in some time format). This seems like it should be easy but I can't figure out how to do it, as searching for words like 'time frame' give me a huge amount of results.

Are there some variables of functions that I can use to get this?

Thanks,
Mary

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎09-13-2012 09:17 AM

Add " | addinfo " to your search.

This gives you access to the following fields :

info_min_time: the earliest time bound for the search
info_max_time: the latest time bound for the search.

Docs here

View solution in original post

Reply
Solved! Jump to solution

mixolydian
Path Finder
‎09-13-2012 09:22 AM

I believe you are looking for searchEarliestTime and searchLatestTime. This thread describes the process of getting them using the search ID, and a comment describing a solution that might meet your requirements.

http://splunk-base.splunk.com/answers/53056/obtaining-the-search-time-range-in-a-custom-search-comma...

Hope that helps.

Update: I think jonuwz's solution is easiest.

Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎09-13-2012 09:17 AM

Add " | addinfo " to your search.

This gives you access to the following fields :

info_min_time: the earliest time bound for the search
info_max_time: the latest time bound for the search.

Docs here

Reply
Solved! Jump to solution

mixolydian
Path Finder
‎09-14-2012 10:57 AM

Glad to hear it, auntyem! For future, I don't believe a 'where' command would remove fields. More likely it would be a 'table' or 'fields' command, which limit fields in all events, rather than events themselves, as is the case with 'where'.

0 Karma
Reply
Solved! Jump to solution

auntyem
Explorer
‎09-14-2012 10:43 AM

That's it! moving hte addinfo did the trick! Probably makes sense as I had a where command a bit earlier in the search but after the add info. Thanks!

Reply
Solved! Jump to solution

mixolydian
Path Finder
‎09-14-2012 10:32 AM

It worked for me. If possible, I would place the addinfo right before the eval for total time. Perhaps you are losing those info_ variables before you get to the eval. You could try placing " | addinfo | eval duration = info_max_time - info_min_time | table info_max_time, info_min_time, duration" at the end of any test search to see if it is working for you before you plug it into your actual search.

Reply
Solved! Jump to solution

auntyem
Explorer
‎09-14-2012 10:17 AM

I tried that earlier (first thing I thought of)...It didn't work?? here's the last part of my search:

|eval total_time=info_max_time-info_min_time|table total_down_time, total_time

my table showed the total_down_time (calced earlier in the search but not the total_time. Am I missing a fatfinger? The addinfo was also earlier in the search.

Reply
Solved! Jump to solution

mixolydian
Path Finder
‎09-14-2012 10:12 AM

How about " | eval duration = info_max_time - info_min_time"? That will give you duration in seconds.

0 Karma
Reply
Solved! Jump to solution

auntyem
Explorer
‎09-14-2012 07:16 AM

Thanks! Now, stupid question, how to I use them to get the duration of the time? Can't seem to figure that out. I think I need to use some conversion functions but havne't quite found the right one.

Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...