Splunk Search
Highlighted

Can I access the search timeframe within the search?

Explorer

I want to get at the duration of the search timeframe within the search itself. So if I set the search to look at the previous month, I want to know within the search the length of that month (in days, hours, whatever, I can convert if I can get it in some time format). This seems like it should be easy but I can't figure out how to do it, as searching for words like 'time frame' give me a huge amount of results.

Are there some variables of functions that I can use to get this?

Thanks,
Mary

Tags (2)
Highlighted

Re: Can I access the search timeframe within the search?

Influencer

Add " | addinfo " to your search.

This gives you access to the following fields :

infomintime: the earliest time bound for the search
infomaxtime: the latest time bound for the search.

Docs here

View solution in original post

Highlighted

Re: Can I access the search timeframe within the search?

Explorer

Thanks! Now, stupid question, how to I use them to get the duration of the time? Can't seem to figure that out. I think I need to use some conversion functions but havne't quite found the right one.

Highlighted

Re: Can I access the search timeframe within the search?

Path Finder

How about " | eval duration = infomaxtime - infomintime"? That will give you duration in seconds.

0 Karma
Highlighted

Re: Can I access the search timeframe within the search?

Explorer

I tried that earlier (first thing I thought of)...It didn't work?? here's the last part of my search:

|eval totaltime=infomaxtime-infomintime|table totaldowntime, totaltime

my table showed the totaldowntime (calced earlier in the search but not the total_time. Am I missing a fatfinger? The addinfo was also earlier in the search.

Highlighted

Re: Can I access the search timeframe within the search?

Path Finder

It worked for me. If possible, I would place the addinfo right before the eval for total time. Perhaps you are losing those info_ variables before you get to the eval. You could try placing " | addinfo | eval duration = infomaxtime - infomintime | table infomaxtime, infomintime, duration" at the end of any test search to see if it is working for you before you plug it into your actual search.

Highlighted

Re: Can I access the search timeframe within the search?

Explorer

That's it! moving hte addinfo did the trick! Probably makes sense as I had a where command a bit earlier in the search but after the add info. Thanks!

Highlighted

Re: Can I access the search timeframe within the search?

Path Finder

Glad to hear it, auntyem! For future, I don't believe a 'where' command would remove fields. More likely it would be a 'table' or 'fields' command, which limit fields in all events, rather than events themselves, as is the case with 'where'.

0 Karma
Highlighted

Re: Can I access the search timeframe within the search?

Path Finder

I believe you are looking for searchEarliestTime and searchLatestTime. This thread describes the process of getting them using the search ID, and a comment describing a solution that might meet your requirements.

http://splunk-base.splunk.com/answers/53056/obtaining-the-search-time-range-in-a-custom-search-comma...

Hope that helps.

Update: I think jonuwz's solution is easiest.