Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to add time filter late in the search command
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rolfn
Explorer
11-11-2016
02:47 AM
I understand how to search using the time range picker, or by adding "earliest" and "latest" in the primary search-command.
However, I would like to run eventstats across my entire dataset (to identify events occuring only once) and the pick out only those occuring within a specific timeframe. I have tried adding something like this after my eventstats-command:
| search earliest=<...> latest=<...>
however, this doesn't work. I have been able to achieve what I want by adding:
| where antall=1 AND _time<strptime("2015-12-01", "%F") AND _time>strptime("2015-11-01", "%F")
but this is just a work-around and I don't get any of the functionality for relative times or aligning.
Am I missing something? Is this supposed to work? Is there any other way?
Some more details on what I try to achieve:
- My log shows users (identified by USER) looking up records (identified by ID)
- I want to find the records which has only been looked up by one user across the entire dataset.
This can be done by:
<search command> | stats dc(USER) as cnt by ID | where cnt=1
or if I want to see the original log-events:
<search command> | eventstats dc(USER) as cnt by ID | where cnt=1
Now, If one record is accessed by user A in january and user B in march, cnt will be 2 for this record if I compute across the whole dataset. However, it will be 1 if I compute against just january data or just march data.
Now, my march data looks strange, so I want to look at only events happening during march, but I need the stats to be counted across the whole dataset as I don't want records looked at by other users in other months included. So I need the date-filter to be later than eventstats in the search pipeline.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
11-11-2016
05:54 AM
Try something like this. Adjust the relative times as necessary.
| where antall=1 AND _time<relative_time(now(), "-1d@d") AND _time>relative_time(now(),"-30d@d")
That said, I have to ask: why search all time if you're only going to keep events in a given time range? Start with that range.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-11-2016
07:15 AM
Try like this (assuming this query will be run in a dashboard with a time range other than All Time, but your search should be executed with time range All-Times)
your base search earliest=0 | ..other command including your eventstats commands...
| where anall=1 AND _time<[| gentimes start=-1 | addinfo | eval search=info_max_time | table search] AND _time>[| gentimes start=-1 | addinfo | eval search=info_min_time | table search]
Where the subsearch in the where clause uses addinfo command to get the external time range (Time Range picker) values (info_max_time is epoch equivalent of latest and info_min_time is epoch equivalent of earliest. See here for more information https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Addinfo)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rolfn
Explorer
11-14-2016
01:58 AM
So this explicitly overrides the settings from the time range picker, but adds it later using "addinfo"? Clever...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
11-11-2016
05:54 AM
Try something like this. Adjust the relative times as necessary.
| where antall=1 AND _time<relative_time(now(), "-1d@d") AND _time>relative_time(now(),"-30d@d")
That said, I have to ask: why search all time if you're only going to keep events in a given time range? Start with that range.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rolfn
Explorer
11-14-2016
01:45 AM
This answers my question, so I'll accept this. (However, I wish it would work as documented, that would have been more elegent). I'll update my question with more explanation of why I would want this.
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
