Splunk Search

How to get the last 15 days of logs relative to the latest event, not to now?

Path Finder

I can't find the correct syntax to search the last 15 days of logs, relative to the latest entry. My current search is as follow:

source="test.log" CPUUsage=* | timechart span=20m max(CPUUsage)

If I change the time range to "latest 15 days", it's relative to NOW, not the latest event.

Tags (2)
1 Solution

Builder

Splunk Employee
Splunk Employee

I don't know if this the best way to do it, but it is one way.

source="test.log" CPU_Usage=*
| join [| metadata type=sources source="test.log"| stats max(lastTime) as latest]
|  timechart span=20m max(CPU_Usage)
0 Karma

Path Finder

I get "No results found" when using these lines. Do I need to change anything? The query from Chanfoli returns several hundred results (as it should).

0 Karma

Builder

Path Finder

That work with a few changes.

source="*test.log*" CPU_Usage=*  [ search CPU_Usage=* | head 1 | eval earliest=relative_time(_time,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")"  ] | timechart span=20m max(CPU_Usage)