Splunk Search

How to add seconds to epoch time using time modifiers?

skoelpin
SplunkTrust
SplunkTrust

I have a dashboard which uses tokens that look like this

earliest=$TIME.earliest$ latest=$TIME.earliest$+60s

If I use the timerange picker and select a relative time, the search works as expected and earliest=-1h latest=-1h+60s works as expected. If I use a non-relative time then it looks like this earliest=1528398925 latest=1528398925+60s which does not work.

How can I get this to work with non-relative time?

Tags (2)
0 Karma
1 Solution

DalJeanis
Legend

The most effective way to do this is ** in a dash ** is to have your time-picker set its normal tokens, and then have a hidden search use only the value of the earliest token, and return the value of earliest in epoch and the value of earliest+60s in epoch into two new and different tokens.

Use those tokens in your actual search.

This is less finnicky than using a subsearch, and should be measurably faster, in my experience.

View solution in original post

DalJeanis
Legend

The most effective way to do this is ** in a dash ** is to have your time-picker set its normal tokens, and then have a hidden search use only the value of the earliest token, and return the value of earliest in epoch and the value of earliest+60s in epoch into two new and different tokens.

Use those tokens in your actual search.

This is less finnicky than using a subsearch, and should be measurably faster, in my experience.

skoelpin
SplunkTrust
SplunkTrust

This is the exact approach I took and it worked perfectly!!

Here's the workflow

  • Create panel with 2 fields, earliest and latest _time
  • Assign earliest and latest with tokens from the timeranger picker
  • Use a token to capture the earliest value from this panel
  • Pass that token into the top base search and add the needed time
  • Hide the extra panel

DalJeanis
Legend

Glad it worked for you. It would not have to be a separate panel, it could also be a hidden control in the first panel, and/or a search outside of panels completely, but you got it working, so that's great!

0 Karma

somesoni2
Revered Legend

Are you using those tokens inline in the search OR in the time-range picker of the dashboard panel?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I'm using then in an in-line search like this

index=blah earliest=$TIME.earliest$ latest=$TIME.earliest$+60s

The tokens are set in the dashboards timerange picker and all the panels run off a base search which is using the search above

0 Karma

somesoni2
Revered Legend

Try something like this

 <search id="baseSearch">
    <query>index=blah [| gentimes start=-1 | addinfo | eval earliest=info_min_time | eval latest=info_min_time+60 | table earliest latest | format ] ....rest of the search... </query>
    <earliest>$TIME.earliest$</earliest>
    <latest>$TIME.latest$</latest>
  </search>

The sub-search will run using your selected time range picker/token value, and override the main search time range with updated ones.

skoelpin
SplunkTrust
SplunkTrust

Whenever I run this, I'm getting the following error

Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side.
0 Karma

skoelpin
SplunkTrust
SplunkTrust

I figured out the Error issue, its with the way the results are formatted from the format command. If you remove the parenthesis then it works as expected. Still working my way through this

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I'm also getting this error

Error in timechart command: The argument '(( earliest=1528750293.000 AND latest=1528750353.000))' is invalid
0 Karma

niketn
Legend

@somesoni2, using addinfo, the All Time selection would need to be handled separately. For this particular usecase a condition for earliest=0 and latest="+Infinity" should set the token to $TIME.earliest$ and $TIME.latest$ respectively.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

somesoni2
Revered Legend

That a good point. However, I believe he wants his search's latest to be based on earliest value (earliest+60sec), so subsearch is fine.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...