Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add time filter late in the search command

rolfn
Explorer
‎11-11-2016 02:47 AM

I understand how to search using the time range picker, or by adding "earliest" and "latest" in the primary search-command.

However, I would like to run eventstats across my entire dataset (to identify events occuring only once) and the pick out only those occuring within a specific timeframe. I have tried adding something like this after my eventstats-command:

| search earliest=<...> latest=<...>

however, this doesn't work. I have been able to achieve what I want by adding:

| where antall=1 AND _time<strptime("2015-12-01", "%F") AND _time>strptime("2015-11-01", "%F")

but this is just a work-around and I don't get any of the functionality for relative times or aligning.

Am I missing something? Is this supposed to work? Is there any other way?

Some more details on what I try to achieve:

  • My log shows users (identified by USER) looking up records (identified by ID)
  • I want to find the records which has only been looked up by one user across the entire dataset.

This can be done by:

<search command> | stats dc(USER) as cnt by ID | where cnt=1

or if I want to see the original log-events:

<search command> | eventstats dc(USER) as cnt by ID | where cnt=1

Now, If one record is accessed by user A in january and user B in march, cnt will be 2 for this record if I compute across the whole dataset. However, it will be 1 if I compute against just january data or just march data.

Now, my march data looks strange, so I want to look at only events happening during march, but I need the stats to be counted across the whole dataset as I don't want records looked at by other users in other months included. So I need the date-filter to be later than eventstats in the search pipeline.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2016 05:54 AM

Try something like this. Adjust the relative times as necessary.

| where antall=1 AND _time<relative_time(now(), "-1d@d") AND _time>relative_time(now(),"-30d@d")

That said, I have to ask: why search all time if you're only going to keep events in a given time range? Start with that range.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-11-2016 07:15 AM

Try like this (assuming this query will be run in a dashboard with a time range other than All Time, but your search should be executed with time range All-Times)

your base search earliest=0 | ..other command including your eventstats commands...
| where anall=1 AND _time<[| gentimes start=-1 | addinfo | eval search=info_max_time | table search] AND _time>[| gentimes start=-1 | addinfo | eval search=info_min_time | table search]

Where the subsearch in the where clause uses addinfo command to get the external time range (Time Range picker) values (info_max_time is epoch equivalent of latest and info_min_time is epoch equivalent of earliest. See here for more information https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Addinfo)

Reply
Solved! Jump to solution

rolfn
Explorer
‎11-14-2016 01:58 AM

So this explicitly overrides the settings from the time range picker, but adds it later using "addinfo"? Clever...

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2016 05:54 AM

Try something like this. Adjust the relative times as necessary.

| where antall=1 AND _time<relative_time(now(), "-1d@d") AND _time>relative_time(now(),"-30d@d")

That said, I have to ask: why search all time if you're only going to keep events in a given time range? Start with that range.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

rolfn
Explorer
‎11-14-2016 01:45 AM

This answers my question, so I'll accept this. (However, I wish it would work as documented, that would have been more elegent). I'll update my question with more explanation of why I would want this.

0 Karma
Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...
Top