Splunk Search

How to add seconds to epoch time using time modifiers?

SplunkTrust
SplunkTrust

I have a dashboard which uses tokens that look like this

earliest=$TIME.earliest$ latest=$TIME.earliest$+60s

If I use the timerange picker and select a relative time, the search works as expected and earliest=-1h latest=-1h+60s works as expected. If I use a non-relative time then it looks like this earliest=1528398925 latest=1528398925+60s which does not work.

How can I get this to work with non-relative time?

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

The most effective way to do this is ** in a dash ** is to have your time-picker set its normal tokens, and then have a hidden search use only the value of the earliest token, and return the value of earliest in epoch and the value of earliest+60s in epoch into two new and different tokens.

Use those tokens in your actual search.

This is less finnicky than using a subsearch, and should be measurably faster, in my experience.

View solution in original post

SplunkTrust
SplunkTrust

The most effective way to do this is ** in a dash ** is to have your time-picker set its normal tokens, and then have a hidden search use only the value of the earliest token, and return the value of earliest in epoch and the value of earliest+60s in epoch into two new and different tokens.

Use those tokens in your actual search.

This is less finnicky than using a subsearch, and should be measurably faster, in my experience.

View solution in original post

SplunkTrust
SplunkTrust

This is the exact approach I took and it worked perfectly!!

Here's the workflow

  • Create panel with 2 fields, earliest and latest _time
  • Assign earliest and latest with tokens from the timeranger picker
  • Use a token to capture the earliest value from this panel
  • Pass that token into the top base search and add the needed time
  • Hide the extra panel

SplunkTrust
SplunkTrust

Glad it worked for you. It would not have to be a separate panel, it could also be a hidden control in the first panel, and/or a search outside of panels completely, but you got it working, so that's great!

0 Karma

SplunkTrust
SplunkTrust

Are you using those tokens inline in the search OR in the time-range picker of the dashboard panel?

0 Karma

SplunkTrust
SplunkTrust

I'm using then in an in-line search like this

index=blah earliest=$TIME.earliest$ latest=$TIME.earliest$+60s

The tokens are set in the dashboards timerange picker and all the panels run off a base search which is using the search above

0 Karma

SplunkTrust
SplunkTrust

Try something like this

 <search id="baseSearch">
    <query>index=blah [| gentimes start=-1 | addinfo | eval earliest=info_min_time | eval latest=info_min_time+60 | table earliest latest | format ] ....rest of the search... </query>
    <earliest>$TIME.earliest$</earliest>
    <latest>$TIME.latest$</latest>
  </search>

The sub-search will run using your selected time range picker/token value, and override the main search time range with updated ones.

SplunkTrust
SplunkTrust

Whenever I run this, I'm getting the following error

Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side.
0 Karma

SplunkTrust
SplunkTrust

I figured out the Error issue, its with the way the results are formatted from the format command. If you remove the parenthesis then it works as expected. Still working my way through this

0 Karma

SplunkTrust
SplunkTrust

I'm also getting this error

Error in timechart command: The argument '(( earliest=1528750293.000 AND latest=1528750353.000))' is invalid
0 Karma

SplunkTrust
SplunkTrust

@somesoni2, using addinfo, the All Time selection would need to be handled separately. For this particular usecase a condition for earliest=0 and latest="+Infinity" should set the token to $TIME.earliest$ and $TIME.latest$ respectively.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

That a good point. However, I believe he wants his search's latest to be based on earliest value (earliest+60sec), so subsearch is fine.

0 Karma