Splunk Search

How to include earliest and latest date time in the results

Explorer

Hello,

I feels this such a noob question but just cannot find my answer. I want to include the earliest and latest datetime criteria in the results.  The results of the bucket _time span does not guarantee that data occurs.  I want to show range of the data searched for in a saved search/report.

index=idx_noluck_prod source=*nifi-app.log* APILifeCycleEventLogger "Event Durations(ms)" API=/v*/payments/ach/*
| bucket _time span=day |stats count(eval(EndToEnd < 1200)) as EndToEnd_Completed_1.2-Seconds, count(eval(EndToEnd)) as Total_Transactions by ClientId,_time

Thank you all in advance for increasing my understanding and knowledge.
Steven

 

 

Labels (2)
1 Solution

Super Champion

ok then, @stevenulbrich , there is a "addinfo" which will add two interesting fields to the search results(you may need to convert these times using "convert"/strptime/strftime commands). once these fields are added to the search results, at the last stage, inside the table command you can use these fields.

info_min_timeThe earliest time boundary for the search.
info_max_timeThe latest time boundary for the search.

command https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo

 

View solution in original post

Super Champion

ok then, @stevenulbrich , there is a "addinfo" which will add two interesting fields to the search results(you may need to convert these times using "convert"/strptime/strftime commands). once these fields are added to the search results, at the last stage, inside the table command you can use these fields.

info_min_timeThe earliest time boundary for the search.
info_max_timeThe latest time boundary for the search.

command https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo

 

View solution in original post

Explorer

The information was what I needed.  Thank you

using the eval with strftime it allowed me to convert to a MM/DD/YYYY format.

🙂

 

Steven

0 Karma

SplunkTrust
SplunkTrust
But remember that as you are using bucket span=1d _time, you didn’t get real min and max time instead you get the day.

SplunkTrust
SplunkTrust

how about addinfo ?

0 Karma

Super Champion

Hi @stevenulbrich After saving the report, after its run, do want it to send an email to you with the report results? if so, on the "add action" of the report, when you enable the mail option, there is a check-box to include the search string (on the search string, you should include earliest and latest, so that it will be available on the email report as well)

report-action.jpg

0 Karma

Explorer

Hello inventsekar

I will not sending the report. I am going to use the report as part of my Python SDK solution.  I have to take the data and generate longer term data capture and reporting.

So I'm sorry the including of the search string will not be ba solution.

As I work with the data in Pandas and Excel the the Earliest and Latest dates will be used to show when the data was pulled.  The splunk I'm using can only hold 30 days of data maximum.


Steven

 

Tags (1)
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!