Splunk Search

How to add time filter late in the search command

Explorer

I understand how to search using the time range picker, or by adding "earliest" and "latest" in the primary search-command.

However, I would like to run eventstats across my entire dataset (to identify events occuring only once) and the pick out only those occuring within a specific timeframe. I have tried adding something like this after my eventstats-command:

| search earliest=<...> latest=<...>

however, this doesn't work. I have been able to achieve what I want by adding:

| where antall=1 AND _time<strptime("2015-12-01", "%F") AND _time>strptime("2015-11-01", "%F") 

but this is just a work-around and I don't get any of the functionality for relative times or aligning.

Am I missing something? Is this supposed to work? Is there any other way?


Some more details on what I try to achieve:

  • My log shows users (identified by USER) looking up records (identified by ID)
  • I want to find the records which has only been looked up by one user across the entire dataset.

This can be done by:

<search command> | stats dc(USER) as cnt by ID | where cnt=1

or if I want to see the original log-events:

<search command> | eventstats dc(USER) as cnt by ID | where cnt=1

Now, If one record is accessed by user A in january and user B in march, cnt will be 2 for this record if I compute across the whole dataset. However, it will be 1 if I compute against just january data or just march data.

Now, my march data looks strange, so I want to look at only events happening during march, but I need the stats to be counted across the whole dataset as I don't want records looked at by other users in other months included. So I need the date-filter to be later than eventstats in the search pipeline.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try something like this. Adjust the relative times as necessary.

| where antall=1 AND _time<relative_time(now(), "-1d@d") AND _time>relative_time(now(),"-30d@d")

That said, I have to ask: why search all time if you're only going to keep events in a given time range? Start with that range.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

SplunkTrust
SplunkTrust

Try like this (assuming this query will be run in a dashboard with a time range other than All Time, but your search should be executed with time range All-Times)

your base search earliest=0 | ..other command including your eventstats commands...
| where anall=1 AND _time<[| gentimes start=-1 | addinfo | eval search=info_max_time | table search] AND _time>[| gentimes start=-1 | addinfo | eval search=info_min_time | table search]

Where the subsearch in the where clause uses addinfo command to get the external time range (Time Range picker) values (infomaxtime is epoch equivalent of latest and infomintime is epoch equivalent of earliest. See here for more information https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Addinfo)

Explorer

So this explicitly overrides the settings from the time range picker, but adds it later using "addinfo"? Clever...

0 Karma

SplunkTrust
SplunkTrust

Try something like this. Adjust the relative times as necessary.

| where antall=1 AND _time<relative_time(now(), "-1d@d") AND _time>relative_time(now(),"-30d@d")

That said, I have to ask: why search all time if you're only going to keep events in a given time range? Start with that range.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Explorer

This answers my question, so I'll accept this. (However, I wish it would work as documented, that would have been more elegent). I'll update my question with more explanation of why I would want this.

0 Karma