Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add seconds to epoch time using time modifiers?

skoelpin
SplunkTrust
SplunkTrust
‎06-07-2018 01:33 PM

I have a dashboard which uses tokens that look like this

earliest=$TIME.earliest$ latest=$TIME.earliest$+60s

If I use the timerange picker and select a relative time, the search works as expected and earliest=-1h latest=-1h+60s works as expected. If I use a non-relative time then it looks like this earliest=1528398925 latest=1528398925+60s which does not work.

How can I get this to work with non-relative time?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-09-2018 12:53 PM

The most effective way to do this is ** in a dash ** is to have your time-picker set its normal tokens, and then have a hidden search use only the value of the earliest token, and return the value of earliest in epoch and the value of earliest+60s in epoch into two new and different tokens.

Use those tokens in your actual search.

This is less finnicky than using a subsearch, and should be measurably faster, in my experience.

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-09-2018 12:53 PM

The most effective way to do this is ** in a dash ** is to have your time-picker set its normal tokens, and then have a hidden search use only the value of the earliest token, and return the value of earliest in epoch and the value of earliest+60s in epoch into two new and different tokens.

Use those tokens in your actual search.

This is less finnicky than using a subsearch, and should be measurably faster, in my experience.

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎06-12-2018 04:58 PM

This is the exact approach I took and it worked perfectly!!

Here's the workflow

  • Create panel with 2 fields, earliest and latest _time
  • Assign earliest and latest with tokens from the timeranger picker
  • Use a token to capture the earliest value from this panel
  • Pass that token into the top base search and add the needed time
  • Hide the extra panel
Reply
Solved! Jump to solution

DalJeanis
Legend
‎06-15-2018 04:22 PM

Glad it worked for you. It would not have to be a separate panel, it could also be a hidden control in the first panel, and/or a search outside of panels completely, but you got it working, so that's great!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-07-2018 01:42 PM

Are you using those tokens inline in the search OR in the time-range picker of the dashboard panel?

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎06-07-2018 02:03 PM

I'm using then in an in-line search like this

index=blah earliest=$TIME.earliest$ latest=$TIME.earliest$+60s

The tokens are set in the dashboards timerange picker and all the panels run off a base search which is using the search above

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-07-2018 02:09 PM

Try something like this

 <search id="baseSearch">
    <query>index=blah [| gentimes start=-1 | addinfo | eval earliest=info_min_time | eval latest=info_min_time+60 | table earliest latest | format ] ....rest of the search... </query>
    <earliest>$TIME.earliest$</earliest>
    <latest>$TIME.latest$</latest>
  </search>

The sub-search will run using your selected time range picker/token value, and override the main search time range with updated ones.

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎06-11-2018 01:32 PM

Whenever I run this, I'm getting the following error 

Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side.
0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎06-12-2018 09:43 AM

I figured out the Error issue, its with the way the results are formatted from the format command. If you remove the parenthesis then it works as expected. Still working my way through this

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎06-11-2018 01:55 PM

I'm also getting this error 

Error in timechart command: The argument '(( earliest=1528750293.000 AND latest=1528750353.000))' is invalid
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-07-2018 07:35 PM

@somesoni2, using addinfo, the All Time selection would need to be handled separately. For this particular usecase a condition for earliest=0 and latest="+Infinity" should set the token to $TIME.earliest$ and $TIME.latest$ respectively.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-08-2018 09:26 AM

That a good point. However, I believe he wants his search's latest to be based on earliest value (earliest+60sec), so subsearch is fine.

0 Karma
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...
Top