Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert earliest and latest into String values?

celsohso
Path Finder
‎02-10-2015 11:57 AM

I would like to convert a earliest and latest time and concatenate in a string value, so I could have that in my Dashboard. E.g.
"Report: January 1 – 31, 2015"

index=main | head 4 | eval desired_time=strftime(now(), "%B") | eval month_year=strftime(now(),"%d %Y") | eval fulldate = desired_time." ".month_year | table fulldate, _time
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-10-2015 01:10 PM

Not sure I understand completely, but stats first()/last() will give you youngest and oldest event timestamp for any given search (does not necessarily match earliest/latest). Example:

index=main earliest=-2d | stats last(_time) as earliest first(_time) as latest 
| eval startDate=strftime(earliest, "%B %d %Y") 
| eval endDate=strftime(latest, "%B %d %Y") 
| eval reportstring = "Report: ".startDate."-".endDate
| fields reportstring

If that's not what you meant, please clarify your requirement.

View solution in original post

Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-10-2015 01:10 PM

Not sure I understand completely, but stats first()/last() will give you youngest and oldest event timestamp for any given search (does not necessarily match earliest/latest). Example:

index=main earliest=-2d | stats last(_time) as earliest first(_time) as latest 
| eval startDate=strftime(earliest, "%B %d %Y") 
| eval endDate=strftime(latest, "%B %d %Y") 
| eval reportstring = "Report: ".startDate."-".endDate
| fields reportstring

If that's not what you meant, please clarify your requirement.

Reply
Solved! Jump to solution

celsohso
Path Finder
‎02-10-2015 02:18 PM

ssievert_splunk,

Your answer plus the link you gave me work perfectly.

thank you so much for all your help, outstanding!

Reply
Solved! Jump to solution

celsohso
Path Finder
‎02-10-2015 01:31 PM

ssievert_splunk

I was asked to add a Header to my report with the timeframe I am reporting for. E.g. "Report: January 1 – 31, 2015", so that it would show up as a header on all the PDF pages.

I don't know why this search is not working for me

Thanks a lot for your help so far

0 Karma
Reply
Solved! Jump to solution

celsohso
Path Finder
‎02-10-2015 01:32 PM

I would like to use:

earliest=-30d@d and latest=@d

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-10-2015 01:36 PM

you can use whatever values you need for your earliest/latest search timeframe constraints.

This answer here, I think, is what you are really asking, i.e. how can you put the report timeframe at the top of a report so that it gets captured in the PDF when delivered. The answer shows how to use a single-value panel at the top of your report that you can populate with the String you wish to use. I showed you above how to put together that string.

BTW, what version of Splunk are you using?

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...