I'm running Splunk v4.1.5, and I'm trying to specify a time range in my search so that I can find events within a certain range prior to a given time.
For example, lets say I want to search for events occurring during the 24 hours prior to 10/07/2010:17:38:00. I cannot determine the correct syntax for this search.
Specifying the "earliest" date as "10/06/2010:17:38:00" seems to be an unsatisfactory solution, because I intend to determine the "latest" value using a subsearch, making the "latest" time a variable value.
My attempt at a search query that does this looks like:
desthostname="www.google.com" earliest=-24h latest="10/07/2010:17:38:00"'
However, executing this search gives:
Error in 'UnifiedSearch': Unable to parse the 'Invalid time bounds in search: start=1292201255 > end=1286498280' search."
This error seems to indicate that the relative "earliest" search term seems to be tied to the current time, not 10/07/2010:17:38:00, which is what I want.
How can I create a search query that allows me to specify a relative time range that is tied to an arbitrary time? If this isn't possible, is there a way to calculate a non-relative time value that is equivalent to 24 hours before my "latest" time?
Yes, relative times are always relative to now(), so you won't be able to accomplish what I think you want to using the search language as such.
desthostname="www.google.com" | eval end_time = strptime("10/07/2010:17:38:00", "%D:%T") | eval start_time = relative_time(end_time,"-24h") | search _time >= start_time AND _time <= end_time
This should work! For the green button, choose a time range that will include everything you are looking for - hopefully that doesn't mean searching "all time". You might consider creating a macro with a single argument. The argument would be the time string.