Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I control earliest and latest date using fixed dates?

HattrickNZ
Motivator
‎03-02-2016 11:49 AM

I have 2 searches that I am appending that looks something like

search1 | append [search search2]

and basically search 1 has data for 6 months e.g. Jan-Jun and search 2 has data for 6 months e.g.Jun-Nov.

Can I control search1 to search for all dates up to June 15th at midnight using latest?

And can I control search2 to search for all dates from June 15th at midnight using earliest? This way from a graphing point of view they all line up.

This way my earch would look something like

search1 latest=20140615 | append [search search2 earliest=20140616 ]

NOTE I have asked this Q before but sollution I found then was starttime= 03/16/2015:00:00:00 but that is now deprecated so I am looking for a better solution.

0 Karma
Reply

somesoni2
Revered Legend
‎03-02-2016 12:08 PM

Since you're hardcoding the dates anyways, so I would suggest to provide the epoch equivalent time for latest and earliest, like this

1402894800 - 6/16/2014, 12:00:00 AM GMT-5:00

search1 latest=1402894800| append [search search2 earliest=1402894800 ]

If you still want to use a human readable format, then you can use subsearches like this

    search1 [| gentimes start=-1 | eval latest=strptime("20140616","%Y%m%d") | table latest ]
  | append [search search2 [| gentimes start=-1 | eval earliest=strptime("20140616","%Y%m%d") | table earliest]]
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...