Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to include earliest and latest date time in the results

stevenulbrich
Explorer
‎10-17-2020 12:42 PM

Hello,

I feels this such a noob question but just cannot find my answer. I want to include the earliest and latest datetime criteria in the results.  The results of the bucket _time span does not guarantee that data occurs.  I want to show range of the data searched for in a saved search/report.

index=idx_noluck_prod source=*nifi-app.log* APILifeCycleEventLogger "Event Durations(ms)" API=/v*/payments/ach/*
| bucket _time span=day |stats count(eval(EndToEnd < 1200)) as EndToEnd_Completed_1.2-Seconds, count(eval(EndToEnd)) as Total_Transactions by ClientId,_time

Thank you all in advance for increasing my understanding and knowledge.
Steven

 

 

Labels (2)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-17-2020 09:07 PM

ok then, @stevenulbrich , there is a "addinfo" which will add two interesting fields to the search results(you may need to convert these times using "convert"/strptime/strftime commands). once these fields are added to the search results, at the last stage, inside the table command you can use these fields.

info_min_timeThe earliest time boundary for the search.
info_max_timeThe latest time boundary for the search.

command https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-17-2020 09:07 PM

ok then, @stevenulbrich , there is a "addinfo" which will add two interesting fields to the search results(you may need to convert these times using "convert"/strptime/strftime commands). once these fields are added to the search results, at the last stage, inside the table command you can use these fields.

info_min_timeThe earliest time boundary for the search.
info_max_timeThe latest time boundary for the search.

command https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Addinfo

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

stevenulbrich
Explorer
‎10-18-2020 10:42 AM

The information was what I needed.  Thank you

using the eval with strftime it allowed me to convert to a MM/DD/YYYY format.

🙂

 

Steven

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-18-2020 06:43 AM
But remember that as you are using bucket span=1d _time, you didn’t get real min and max time instead you get the day.
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎10-17-2020 06:38 PM

how about addinfo ?

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-17-2020 01:45 PM

Hi @stevenulbrich After saving the report, after its run, do want it to send an email to you with the report results? if so, on the "add action" of the report, when you enable the mail option, there is a check-box to include the search string (on the search string, you should include earliest and latest, so that it will be available on the email report as well)

report-action.jpg

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

stevenulbrich
Explorer
‎10-17-2020 06:25 PM

Hello inventsekar

I will not sending the report. I am going to use the report as part of my Python SDK solution.  I have to take the data and generate longer term data capture and reporting.

So I'm sorry the including of the search string will not be ba solution.

As I work with the data in Pandas and Excel the the Earliest and Latest dates will be used to show when the data was pulled.  The splunk I'm using can only hold 30 days of data maximum.


Steven

 

Tags (1)
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...