Splunk Search

How to add time filter late in the search command

rolfn
Explorer

I understand how to search using the time range picker, or by adding "earliest" and "latest" in the primary search-command.

However, I would like to run eventstats across my entire dataset (to identify events occuring only once) and the pick out only those occuring within a specific timeframe. I have tried adding something like this after my eventstats-command:

| search earliest=<...> latest=<...>

however, this doesn't work. I have been able to achieve what I want by adding:

| where antall=1 AND _time<strptime("2015-12-01", "%F") AND _time>strptime("2015-11-01", "%F") 

but this is just a work-around and I don't get any of the functionality for relative times or aligning.

Am I missing something? Is this supposed to work? Is there any other way?


Some more details on what I try to achieve:

  • My log shows users (identified by USER) looking up records (identified by ID)
  • I want to find the records which has only been looked up by one user across the entire dataset.

This can be done by:

<search command> | stats dc(USER) as cnt by ID | where cnt=1

or if I want to see the original log-events:

<search command> | eventstats dc(USER) as cnt by ID | where cnt=1

Now, If one record is accessed by user A in january and user B in march, cnt will be 2 for this record if I compute across the whole dataset. However, it will be 1 if I compute against just january data or just march data.

Now, my march data looks strange, so I want to look at only events happening during march, but I need the stats to be counted across the whole dataset as I don't want records looked at by other users in other months included. So I need the date-filter to be later than eventstats in the search pipeline.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try something like this. Adjust the relative times as necessary.

| where antall=1 AND _time<relative_time(now(), "-1d@d") AND _time>relative_time(now(),"-30d@d")

That said, I have to ask: why search all time if you're only going to keep events in a given time range? Start with that range.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try like this (assuming this query will be run in a dashboard with a time range other than All Time, but your search should be executed with time range All-Times)

your base search earliest=0 | ..other command including your eventstats commands...
| where anall=1 AND _time<[| gentimes start=-1 | addinfo | eval search=info_max_time | table search] AND _time>[| gentimes start=-1 | addinfo | eval search=info_min_time | table search]

Where the subsearch in the where clause uses addinfo command to get the external time range (Time Range picker) values (info_max_time is epoch equivalent of latest and info_min_time is epoch equivalent of earliest. See here for more information https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Addinfo)

rolfn
Explorer

So this explicitly overrides the settings from the time range picker, but adds it later using "addinfo"? Clever...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try something like this. Adjust the relative times as necessary.

| where antall=1 AND _time<relative_time(now(), "-1d@d") AND _time>relative_time(now(),"-30d@d")

That said, I have to ask: why search all time if you're only going to keep events in a given time range? Start with that range.

---
If this reply helps you, Karma would be appreciated.

rolfn
Explorer

This answers my question, so I'll accept this. (However, I wish it would work as documented, that would have been more elegent). I'll update my question with more explanation of why I would want this.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...