Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert earliest and latest into String values?

celsohso
Path Finder
‎02-10-2015 11:57 AM

I would like to convert a earliest and latest time and concatenate in a string value, so I could have that in my Dashboard. E.g.
"Report: January 1 – 31, 2015"

index=main | head 4 | eval desired_time=strftime(now(), "%B") | eval month_year=strftime(now(),"%d %Y") | eval fulldate = desired_time." ".month_year | table fulldate, _time
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-10-2015 01:10 PM

Not sure I understand completely, but stats first()/last() will give you youngest and oldest event timestamp for any given search (does not necessarily match earliest/latest). Example:

index=main earliest=-2d | stats last(_time) as earliest first(_time) as latest 
| eval startDate=strftime(earliest, "%B %d %Y") 
| eval endDate=strftime(latest, "%B %d %Y") 
| eval reportstring = "Report: ".startDate."-".endDate
| fields reportstring

If that's not what you meant, please clarify your requirement.

View solution in original post

Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-10-2015 01:10 PM

Not sure I understand completely, but stats first()/last() will give you youngest and oldest event timestamp for any given search (does not necessarily match earliest/latest). Example:

index=main earliest=-2d | stats last(_time) as earliest first(_time) as latest 
| eval startDate=strftime(earliest, "%B %d %Y") 
| eval endDate=strftime(latest, "%B %d %Y") 
| eval reportstring = "Report: ".startDate."-".endDate
| fields reportstring

If that's not what you meant, please clarify your requirement.

Reply
Solved! Jump to solution

celsohso
Path Finder
‎02-10-2015 02:18 PM

ssievert_splunk,

Your answer plus the link you gave me work perfectly.

thank you so much for all your help, outstanding!

Reply
Solved! Jump to solution

celsohso
Path Finder
‎02-10-2015 01:31 PM

ssievert_splunk

I was asked to add a Header to my report with the timeframe I am reporting for. E.g. "Report: January 1 – 31, 2015", so that it would show up as a header on all the PDF pages.

I don't know why this search is not working for me

Thanks a lot for your help so far

0 Karma
Reply
Solved! Jump to solution

celsohso
Path Finder
‎02-10-2015 01:32 PM

I would like to use:

earliest=-30d@d and latest=@d

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-10-2015 01:36 PM

you can use whatever values you need for your earliest/latest search timeframe constraints.

This answer here, I think, is what you are really asking, i.e. how can you put the report timeframe at the top of a report so that it gets captured in the PDF when delivered. The answer shows how to use a single-value panel at the top of your report that you can populate with the String you wish to use. I showed you above how to put together that string.

BTW, what version of Splunk are you using?

Reply
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...