Splunk Search
Highlighted

How do I search for all events occuring 24 hours prior to a variable time?

New Member

I'm running Splunk v4.1.5, and I'm trying to specify a time range in my search so that I can find events within a certain range prior to a given time.

For example, lets say I want to search for events occurring during the 24 hours prior to 10/07/2010:17:38:00. I cannot determine the correct syntax for this search.

Specifying the "earliest" date as "10/06/2010:17:38:00" seems to be an unsatisfactory solution, because I intend to determine the "latest" value using a subsearch, making the "latest" time a variable value.

My attempt at a search query that does this looks like:

'desthostname="www.google.com" earliest=-24h latest="10/07/2010:17:38:00"'

However, executing this search gives:

"Error in 'UnifiedSearch': Unable to parse the 'Invalid time bounds in search: start=1292201255 > end=1286498280' search."

This error seems to indicate that the relative "earliest" search term seems to be tied to the current time, not 10/07/2010:17:38:00, which is what I want.

How can I create a search query that allows me to specify a relative time range that is tied to an arbitrary time? If this isn't possible, is there a way to calculate a non-relative time value that is equivalent to 24 hours before my "latest" time?

Tags (2)
0 Karma
Highlighted

Re: How do I search for all events occuring 24 hours prior to a variable time?

Splunk Employee
Splunk Employee

Yes, relative times are always relative to now(), so you won't be able to accomplish what I think you want to using the search language as such.

0 Karma
Highlighted

Re: How do I search for all events occuring 24 hours prior to a variable time?

Legend
desthostname="www.google.com" |
eval end_time = strptime("10/07/2010:17:38:00", "%D:%T") | 
eval start_time = relative_time(end_time,"-24h") |
search _time >= start_time AND _time <= end_time

This should work! For the green button, choose a time range that will include everything you are looking for - hopefully that doesn't mean searching "all time". You might consider creating a macro with a single argument. The argument would be the time string.

0 Karma