Solved: Re: How to include earliest and latest date time i...

stevenulbrich · ‎10-17-2020

Hello,

I feels this such a noob question but just cannot find my answer. I want to include the earliest and latest datetime criteria in the results. The results of the bucket _time span does not guarantee that data occurs. I want to show range of the data searched for in a saved search/report.

index=idx_noluck_prod source=*nifi-app.log* APILifeCycleEventLogger "Event Durations(ms)" API=/v*/payments/ach/*
| bucket _time span=day |stats count(eval(EndToEnd < 1200)) as EndToEnd_Completed_1.2-Seconds, count(eval(EndToEnd)) as Total_Transactions by ClientId,_time

Thank you all in advance for increasing my understanding and knowledge.
Steven

inventsekar · ‎10-17-2020

ok then, @stevenulbrich , there is a "addinfo" which will add two interesting fields to the search results(you may need to convert these times using "convert"/strptime/strftime commands). once these fields are added to the search results, at the last stage, inside the table command you can use these fields.

info_min_time	The earliest time boundary for the search.
info_max_time	The latest time boundary for the search.

command https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo

View solution in original post

inventsekar · ‎10-17-2020

ok then, @stevenulbrich , there is a "addinfo" which will add two interesting fields to the search results(you may need to convert these times using "convert"/strptime/strftime commands). once these fields are added to the search results, at the last stage, inside the table command you can use these fields.

info_min_time	The earliest time boundary for the search.
info_max_time	The latest time boundary for the search.

command https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo

stevenulbrich · ‎10-18-2020

The information was what I needed. Thank you

using the eval with strftime it allowed me to convert to a MM/DD/YYYY format.

🙂

Steven

isoutamo · ‎10-18-2020

But remember that as you are using bucket span=1d _time, you didn’t get real min and max time instead you get the day.

to4kawa · ‎10-17-2020

how about addinfo ?

inventsekar · ‎10-17-2020

Hi @stevenulbrich After saving the report, after its run, do want it to send an email to you with the report results? if so, on the "add action" of the report, when you enable the mail option, there is a check-box to include the search string (on the search string, you should include earliest and latest, so that it will be available on the email report as well)

stevenulbrich · ‎10-17-2020

Hello inventsekar

I will not sending the report. I am going to use the report as part of my Python SDK solution. I have to take the data and generate longer term data capture and reporting.

So I'm sorry the including of the search string will not be ba solution.

As I work with the data in Pandas and Excel the the Earliest and Latest dates will be used to show when the data was pulled. The splunk I'm using can only hold 30 days of data maximum.

Steven

How to include earliest and latest date time in the results

fields

stats

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk