Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to add time filter late in the search command

rolfn
Explorer
‎11-11-2016 02:47 AM

I understand how to search using the time range picker, or by adding "earliest" and "latest" in the primary search-command.

However, I would like to run eventstats across my entire dataset (to identify events occuring only once) and the pick out only those occuring within a specific timeframe. I have tried adding something like this after my eventstats-command:

| search earliest=<...> latest=<...>

however, this doesn't work. I have been able to achieve what I want by adding:

| where antall=1 AND _time<strptime("2015-12-01", "%F") AND _time>strptime("2015-11-01", "%F")

but this is just a work-around and I don't get any of the functionality for relative times or aligning.

Am I missing something? Is this supposed to work? Is there any other way?

Some more details on what I try to achieve:

  • My log shows users (identified by USER) looking up records (identified by ID)
  • I want to find the records which has only been looked up by one user across the entire dataset.

This can be done by:

<search command> | stats dc(USER) as cnt by ID | where cnt=1

or if I want to see the original log-events:

<search command> | eventstats dc(USER) as cnt by ID | where cnt=1

Now, If one record is accessed by user A in january and user B in march, cnt will be 2 for this record if I compute across the whole dataset. However, it will be 1 if I compute against just january data or just march data.

Now, my march data looks strange, so I want to look at only events happening during march, but I need the stats to be counted across the whole dataset as I don't want records looked at by other users in other months included. So I need the date-filter to be later than eventstats in the search pipeline.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2016 05:54 AM

Try something like this. Adjust the relative times as necessary.

| where antall=1 AND _time<relative_time(now(), "-1d@d") AND _time>relative_time(now(),"-30d@d")

That said, I have to ask: why search all time if you're only going to keep events in a given time range? Start with that range.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-11-2016 07:15 AM

Try like this (assuming this query will be run in a dashboard with a time range other than All Time, but your search should be executed with time range All-Times)

your base search earliest=0 | ..other command including your eventstats commands...
| where anall=1 AND _time<[| gentimes start=-1 | addinfo | eval search=info_max_time | table search] AND _time>[| gentimes start=-1 | addinfo | eval search=info_min_time | table search]

Where the subsearch in the where clause uses addinfo command to get the external time range (Time Range picker) values (info_max_time is epoch equivalent of latest and info_min_time is epoch equivalent of earliest. See here for more information https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Addinfo)

Reply
Solved! Jump to solution

rolfn
Explorer
‎11-14-2016 01:58 AM

So this explicitly overrides the settings from the time range picker, but adds it later using "addinfo"? Clever...

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2016 05:54 AM

Try something like this. Adjust the relative times as necessary.

| where antall=1 AND _time<relative_time(now(), "-1d@d") AND _time>relative_time(now(),"-30d@d")

That said, I have to ask: why search all time if you're only going to keep events in a given time range? Start with that range.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

rolfn
Explorer
‎11-14-2016 01:45 AM

This answers my question, so I'll accept this. (However, I wish it would work as documented, that would have been more elegent). I'll update my question with more explanation of why I would want this.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...