Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I search for all events occuring 24 hours prior to a variable time?

eFlea
New Member
‎12-14-2010 12:55 AM

I'm running Splunk v4.1.5, and I'm trying to specify a time range in my search so that I can find events within a certain range prior to a given time.

For example, lets say I want to search for events occurring during the 24 hours prior to 10/07/2010:17:38:00. I cannot determine the correct syntax for this search.

Specifying the "earliest" date as "10/06/2010:17:38:00" seems to be an unsatisfactory solution, because I intend to determine the "latest" value using a subsearch, making the "latest" time a variable value.

My attempt at a search query that does this looks like:

'desthostname="www.google.com" earliest=-24h latest="10/07/2010:17:38:00"'

However, executing this search gives:

"Error in 'UnifiedSearch': Unable to parse the 'Invalid time bounds in search: start=1292201255 > end=1286498280' search."

This error seems to indicate that the relative "earliest" search term seems to be tied to the current time, not 10/07/2010:17:38:00, which is what I want.

How can I create a search query that allows me to specify a relative time range that is tied to an arbitrary time? If this isn't possible, is there a way to calculate a non-relative time value that is equivalent to 24 hours before my "latest" time?

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎02-15-2012 02:01 AM 
desthostname="www.google.com" |
eval end_time = strptime("10/07/2010:17:38:00", "%D:%T") | 
eval start_time = relative_time(end_time,"-24h") |
search _time >= start_time AND _time <= end_time

This should work! For the green button, choose a time range that will include everything you are looking for - hopefully that doesn't mean searching "all time". You might consider creating a macro with a single argument. The argument would be the time string.

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎12-14-2010 06:28 PM

Yes, relative times are always relative to now(), so you won't be able to accomplish what I think you want to using the search language as such.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...