Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I narrow my base query by time

chris94089
Path Finder
‎08-17-2020 10:29 PM

Greetings,

I want to use one base query for my dashboard, with time going back a couple months.   I thought I would populate one big search and and then have dashboards narrow it by relative time chunks for day/week/month, I tried using 

| where

but I noticed that 

 |  mysearch  earliest=08/10/2020:00:00:00 latest=@d | where _time>relative_time("@d", "-2d@d")

does not generate results since relative_time() wants an epoch time as the first argument, which is lame since the other argument totally accepts relative snap-to time.

Is there a way to do this?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-18-2020 01:24 PM

What is 

where _time>relative_time("@w", "-2w@w")

supposed to mean?  What exactly is supposed to be relative to "@w" and "-2w@w"?

That you usually see now() as the first argument to relative_time does not mean that is the only option. The first argument can be any number and that number will be interpreted as an epoch timestamp and the return value will be relative to that timestamp.

To put an upper bound on time, use another call to relative_time().

where (_time>relative_time(now(), "-2w@w") AND (_time < relative_time(now(), "@w"))

Of course, all data are constrained to the limits of the search window, either via the time picker or the earliest and latest options.

BTW, earliest and latest are options to the search command (which is implied before the first pipe).

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-18-2020 06:38 AM

The relative_time function makes time math easier.  It takes an epoch timestamp and returns a new epoch timestamp that is offset from the original by the amount specified in the second argument.  That the second argument must be a relative time specifier has no bearing on what the first argument is allowed to be.

I believe you can narrow your base query this way

|  mysearch  earliest=08/10/2020:00:00:00 latest=@d 
| where _time>relative_time(now(), "-2d@d")
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

chris94089
Path Finder
‎08-18-2020 09:22 AM

Ok, this does "work" in that it returns search results.  But if anything it makes things more frustrating since it's the only relative value that relative_time() function seems to support in the first argument.  Literally every doc I've seen uses the now() function in the relative_time() examples.  But the devs should know that not all data needs to be thought of as "up to now."

where _time>relative_time(now(), "-2d@d")

is allowed, but

where _time>relative_time("@w", "-2w@w")

is not allowed? (I changed from days to weeks, to hopefully better illustrate the use case)

Accounting, for example, doesn't necessarily require data up to the moment the report is being viewed.  It hinges on defined periods like months and quarters.  In sales, weeks become more important.

And the devs do support this concept since the latest= key can be set to something other than now at search time, but it seems this functionality is only supported at the start of the pipe, and not further down.  This behavior ultimately limits the usefulness of scheduled searches and base queries in dashboards.

 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-18-2020 01:24 PM

What is 

where _time>relative_time("@w", "-2w@w")

supposed to mean?  What exactly is supposed to be relative to "@w" and "-2w@w"?

That you usually see now() as the first argument to relative_time does not mean that is the only option. The first argument can be any number and that number will be interpreted as an epoch timestamp and the return value will be relative to that timestamp.

To put an upper bound on time, use another call to relative_time().

where (_time>relative_time(now(), "-2w@w") AND (_time < relative_time(now(), "@w"))

Of course, all data are constrained to the limits of the search window, either via the time picker or the earliest and latest options.

BTW, earliest and latest are options to the search command (which is implied before the first pipe).

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

chris94089
Path Finder
‎08-21-2020 05:51 PM

that last little bit is super creative.  I need to try it

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...