Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add time filter late in the search command

rolfn
Explorer
‎11-11-2016 02:47 AM

I understand how to search using the time range picker, or by adding "earliest" and "latest" in the primary search-command.

However, I would like to run eventstats across my entire dataset (to identify events occuring only once) and the pick out only those occuring within a specific timeframe. I have tried adding something like this after my eventstats-command:

| search earliest=<...> latest=<...>

however, this doesn't work. I have been able to achieve what I want by adding:

| where antall=1 AND _time<strptime("2015-12-01", "%F") AND _time>strptime("2015-11-01", "%F")

but this is just a work-around and I don't get any of the functionality for relative times or aligning.

Am I missing something? Is this supposed to work? Is there any other way?

Some more details on what I try to achieve:

  • My log shows users (identified by USER) looking up records (identified by ID)
  • I want to find the records which has only been looked up by one user across the entire dataset.

This can be done by:

<search command> | stats dc(USER) as cnt by ID | where cnt=1

or if I want to see the original log-events:

<search command> | eventstats dc(USER) as cnt by ID | where cnt=1

Now, If one record is accessed by user A in january and user B in march, cnt will be 2 for this record if I compute across the whole dataset. However, it will be 1 if I compute against just january data or just march data.

Now, my march data looks strange, so I want to look at only events happening during march, but I need the stats to be counted across the whole dataset as I don't want records looked at by other users in other months included. So I need the date-filter to be later than eventstats in the search pipeline.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2016 05:54 AM

Try something like this. Adjust the relative times as necessary.

| where antall=1 AND _time<relative_time(now(), "-1d@d") AND _time>relative_time(now(),"-30d@d")

That said, I have to ask: why search all time if you're only going to keep events in a given time range? Start with that range.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-11-2016 07:15 AM

Try like this (assuming this query will be run in a dashboard with a time range other than All Time, but your search should be executed with time range All-Times)

your base search earliest=0 | ..other command including your eventstats commands...
| where anall=1 AND _time<[| gentimes start=-1 | addinfo | eval search=info_max_time | table search] AND _time>[| gentimes start=-1 | addinfo | eval search=info_min_time | table search]

Where the subsearch in the where clause uses addinfo command to get the external time range (Time Range picker) values (info_max_time is epoch equivalent of latest and info_min_time is epoch equivalent of earliest. See here for more information https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Addinfo)

Reply
Solved! Jump to solution

rolfn
Explorer
‎11-14-2016 01:58 AM

So this explicitly overrides the settings from the time range picker, but adds it later using "addinfo"? Clever...

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2016 05:54 AM

Try something like this. Adjust the relative times as necessary.

| where antall=1 AND _time<relative_time(now(), "-1d@d") AND _time>relative_time(now(),"-30d@d")

That said, I have to ask: why search all time if you're only going to keep events in a given time range? Start with that range.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

rolfn
Explorer
‎11-14-2016 01:45 AM

This answers my question, so I'll accept this. (However, I wish it would work as documented, that would have been more elegent). I'll update my question with more explanation of why I would want this.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
li.common.scroll-to.top