How to achieve maximum value for "latest" time mod...

eregon · ‎04-20-2023

Dear fellow Splunkthusiasts!

I have found out one of old scheduled searches in my installation is failing with this error message:

Invalid value "+18y@y" for time term 'latest'

Looking closer, it turned out the search fails with any value beyond latest=01/19/2038:04:14:07 . I have noticed this value as expiration date for perpetual licenses as well.

I understand this is the maximum time that could be represented by four-byte signed integer as a number of seconds since 1970-01-01 00:00:00.

My question is: how do I specify - using time modifiers in SPL - that my time range includes future with no upper limit? I don't want to hard-code the above-mentioned time into my search, as that limit may (and surely will) change in the future, not to mention it is not very self-explanatory.

woodcock · ‎04-20-2023

I would hardcode it as "2147483647" which is maxint for time_t in Splunk. By the time it makes a difference, you won't be around.

richgalloway · ‎04-20-2023

I suggest hardcoding the upper limit. It's a well-known value among Linux aficionados. For the uninitiated, include a ```comment explaining why the value is what it is```.

---
If this reply helps you, Karma would be appreciated.

eregon · ‎04-20-2023

For some answers all you need to do is ask - then you realize yourself.

The answer to my question is: to search for any future events with no upper limit, just omit the latest=<...> time modifier (use only earliest=<...>) in your search.

richgalloway · ‎04-20-2023

Omitting latest is equivalent to specifying now. It does not search events with dates in the future.

---
If this reply helps you, Karma would be appreciated.

eregon · ‎04-20-2023

Hi @richgalloway , thanks for fast responses!

Actually, I have tried omitting the latest value and Splunk shows me something else. As a run-everywhere example, I run the following SPL:

| tstats count where index=_internal

The line below the SPL edit box shows:

XXX events (4/19/23 8:00:00.000 PM to 4/20/23 8:12:11.000 PM)

(which corresponds to time picker being set to "Last 24 hours")

Now I change the SPL by adding earliest, omitting latest (leaving time picker untouched):

| tstats count where index=_internal earliest=-h@h

The status line now shows:

XXX events (4/20/23 7:00:00.000 PM to 1/19/38 4:14:07.000 AM)

Also, my original (site specific) SPL actually returns the future events. Is it possible this behavior has changed in recent versions of Splunk? (I am on 9.0.4)

isoutamo · ‎04-20-2023

Thank's!

This seems to be something new and also docs Examples of relative time modifiers didn't know that. They are told the old way which @richgalloway already told.

You should leave comments on that documentation that this behaviour has changes and is different what are in docs! Fortunately doc team is eager to update documentation when someone found errors or not enough clearly explained issues.

I also test this on Splunk 9.0.4.1and 9.0.3 on macOS and it works just like you describe.

r. Ismo

lstewart_splunk · ‎04-21-2023

Hello from the Splunk Docs team!
Several people have reported this issue based on this thread.

We are looking into it and will updated this thread and the docs when we have more information.

Thanks for sending us the feedback!

How to achieve maximum value for "latest" time modifier?

other

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life