Hi,
I have to pass a custom 'startdate' and 'enddate' in Splunk query in the search tab (without the help of Splunk default date picker which is available in the Splunk app search tab).
Anyone can show me an example with a basic search which will work in Splunk search (page)?
If I am understanding your question correctly you looking for "earliest" and "latest" parameters:
index=_internal earliest="06/24/2019:0:0:0" latest="06/24/2019:23:59:59"
If I am understanding your question correctly you looking for "earliest" and "latest" parameters:
index=_internal earliest="06/24/2019:0:0:0" latest="06/24/2019:23:59:59"
@gportnoy Thanks for the Answer.
index=_internal earliest="05/26/2019:12:00:00" latest="06/25/2019:12:03:00" | stats count by sourcetype
This is working well. I need to do some customization for using the queries in my custom js file.
If I am understanding your question correctly you looking for "earliest" and "latest" parameters:
index=_internal earliest="06/24/2019:0:0:0" latest="06/24/2019:23:59:59"
@gportnoy Thanks for your answer.
This question does not provide enough information.
Where are you passing the custom 'startdate' and 'enddate'?
What are you searching for?
What's the context of your question in regards to your data?
@jnudell_2 Below I have mention more details about my question. Please go through that.
Example query: "index=_internal | stats count by sourcetype"
I want to know is there any way to pass 'startdate' and 'enddate' on the above mentioned Splunk query.
for example 01/05/2019 (startdate) to 04/05/2019 (enddate) in Splunk search tab page.
If that is not possible in this query then please show me how to do that in any other query.
I am using a custom js page for calling Splunk queries. I have mentioned a sample below
var mySearch = new SearchManager({
id: "mysearch",
preview: true,
cache: false,
search: mvc.tokenSafe('index=_internal | stats count by sourcetype')
});
So if you help me how to achieve 'startdate' and 'enddate' in splunk query(manually) I can run that query in js file and check the data is loading or not.
Thanks in Advance.
Hi @sajithpm101,
You can provide the earliest and latest time in the SearchManager object itself.
Like:
var searchFunctionalAreas = new SearchManager({
id: "functional-areas",
earliest_time: startdate_in_epochs,
latest_time: enddate_in_epochs,
preview: true,
cache: false,
search: 'your search here...'
});
Tell me if I am missing something.
Hi @sajithpm101,
You can use the addinfo
command to include all the search info to your results :
|makeresults | addinfo
This will add the time you ran the search along with the min and max time you are looking for.
More info on addinfo
here :
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Addinfo
Hope that helps.
Cheers,
David
@sajithpm101, did you try using addinfo
as suggested ?
@DavidHourani Thanks for your answer. It was new knowledge for me.
But actually, this is not I want. I would like to clear my question little more deeply.
for example, I have a basic query that I have mentioned below.
example query: 'index=_internal | stats count by sourcetype' .
I want to know how can I apply the startdate and endate for this query (01/05/19 to 04/05/19) in splunk search page. Right now if I write the query in Splunk search page it will run based on the date range which I have given in the Splunk default date picker. Instead of this what is the custom range date i have given in the search bar with a query should give the result.
I think now you can clearly understand my requirement.
Thanks in Advance
Hi @sajithpm101,
Got it!
So by default when you save a search to a dashboard it will use the current time of the search you created. You can click on edit search on the dashboard and change that if needed.
Another easy way to control this time is to save your search as a report including the time. They reuse that report wherever needed on that time frame.