Splunk Search

Can I control earliest and latest date using fixed dates?


I have 2 searches that I am appending that looks something like

search1 | append [search search2]

and basically search 1 has data for 6 months e.g. Jan-Jun and search 2 has data for 6 months e.g.Jun-Nov.

Can I control search1 to search for all dates up to June 15th at midnight using latest?

And can I control search2 to search for all dates from June 15th at midnight using earliest? This way from a graphing point of view they all line up.

This way my earch would look something like

search1 latest=20140615 | append [search search2 earliest=20140616 ]

NOTE I have asked this Q before but sollution I found then was starttime= 03/16/2015:00:00:00 but that is now deprecated so I am looking for a better solution.

0 Karma


Since you're hardcoding the dates anyways, so I would suggest to provide the epoch equivalent time for latest and earliest, like this

1402894800 - 6/16/2014, 12:00:00 AM GMT-5:00

search1 latest=1402894800| append [search search2 earliest=1402894800 ]

If you still want to use a human readable format, then you can use subsearches like this

    search1 [| gentimes start=-1 | eval latest=strptime("20140616","%Y%m%d") | table latest ]
  | append [search search2 [| gentimes start=-1 | eval earliest=strptime("20140616","%Y%m%d") | table earliest]]