How to dynamically set earliest time to the first ...

pde7 · ‎10-09-2014

I want to dynamically set the earliest time to the first instance of a particular event. Is there a way to do that?

Basically/roughly, I'm looking for something like:

value=pair earliest=(timestamp of first event) latest=+7d | timechart

Ayn · ‎10-09-2014

You can't do it in the base search, because Splunk sets up the timeframe before it even finds any events. What you could do though is to post-filter the events once they've been returned from the base search.

value=pair earliest=sometime latest=sometime | eventstats earliest(_time) as earliest_time | where _time<relative_time(earliest_time,"+7d")

pde7 · ‎10-09-2014

That works but it is extremely expensive (programming/search cost).

Ayn · ‎10-09-2014

Correct. However as you can't put the logic in at an earlier stage, this is what you're likely stuck with. I suppose you could maybe use a subsearch for generating the correct times, but you're still back to the problem of finding the earliest event. Splunk searches in reverse chronological order so in order to find the earliest event, it has to find all the ones after that anyway.

landen99 · ‎11-25-2014

how about using map to give a time frame for each field-value pair?

| eval time_b4=relative_time(time_anchor, "-1h")  | eval time_l8r=relative_time(time_anchor, "+1h") | map search="search index=index1 sourcetype=sourcetype1 field1=$field$  earliest=$time_b4$ latest=$time_l8r$"

Something like that maybe?

How to dynamically set earliest time to the first instance of a particular event for a timechart?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?