Splunk Search

How to run different timerange in subsearch versus outer search?

dlee360
Explorer

Hi,
I've been stuck on this for a bit and need some advice. I have it partially working, but I'm trying to figure out if there's a better way of achieving what I need. I'm using a timerangepicker and I'm getting the "now-x" error. So what I'm doing is comparing let's say the past 60 minutes vs the previous day vs the previous week in the same time period. The "current" needs to be dynamic so I can select let's say for the past 2 hours vs the past 2 hours from the previous day (and previous week). Currently, I'm using an eval to create the earliest and latest (for the subsearch) and then a where to filter out the time period. I would prefer to have the earliest and latest set globally as I have multiple dashboards that utilize comparing current w/ previous weeks..Any advice?

Tags (2)

daveklee
New Member

So how I ended up doing this was that I created multiple time range pickers. Originally, I wanted 1 time range picker and have comparison times (previous day, week, etc.) against that time. I decided it was easier for the users to just pick what timeframe they wanted to compare. I also incorporated multisearch for efficiency so it ended up looking like this:

|multisearch [search index=xx earliest=time1.earliest latest=time1.latest | eval type=current] [search index=xx earliest=time2.earliest latest=time2.latest | eval type=previous] | timechart span=1h count by type

Hope that helps.
David

0 Karma

lguinn2
Legend

If you don't want to do a form search, you can explicitly set the time ranges that you want in the two searches:

index=anyindex earliest=-1h@h latest=@h
| eval label= "current" 
| timechart span=5m count by label
| appendcols [ search index=anyindex earliest=-2h@h latest=-1h@h
    | eval label= "hour ago" 
    | timechart span=5m count by label ]

This is the simplest answer, but the least flexible.

0 Karma

dlee360
Explorer

Thanks! This is awesome...though, I still get the "now" error: Invalid value "now-1d" for time term 'latest'..I understand that setting time to @h or something fixes it, but I can't guarantee users won't select now. Is there a way around that?

Thanks again!! This is wonderful!

0 Karma

lguinn2
Legend

Another brainstorm - If you want to do this as a form search, go to Settings -> User Interface -> Views. Create a new view, and copy/paste this into the box

<form>
  <label>Test</label>
      <searchTemplate> <![CDATA[ index=anyindex earliest=$search_time.earliest$ latest=$search_time.latest$
          | eval label= "Current"
          | timechart span=5m count by label
          | appendcols [ search index=*=anyindex earliest=$search_time.earliest$-$time_comparison$ latest=$search_time.latest$-$time_comparison$
              | addinfo
              | eval label = "From " + strftime(info_min_time,"%x %X") + " to " + strftime(info_max_time,"%x %X") 
              | timechart span=5m count by label ] ]]></searchTemplate>
    <fieldset>

      <input type="time" token="search_time" searchWhenChanged="false">
        <label>Search over</label>
        <default>
          <earliestTime>-1h@h</earliestTime>
          <latestTime>@h</latestTime>
        </default>
     </input>

     <input type="dropdown" token="time_comparison">
         <label>Compare with Previous</label>         
         <choice value="1h">Hour</choice>            
         <choice value="1d">Day</choice>
         <choice value="1w">Week</choice>
        <default>1h</default>
      </input>
    </fieldset>

  <row>
    <panel>
      <chart>
        <title>Comparison with previous $time_comparison$</title>
        <option name="charting.chart">line</option>
      </chart>
    </panel>
    </row>
    <row>
        <panel>
      <table>
        <title>Table of comparison with previous $time_comparison$</title>
        <option name="count">20</option>
      </table>
    </panel>
  </row>
</form>

Then try it out. The name of the view is Test, so that is probably what you should name it (so things don't get confusing).

0 Karma

prasathnagaraju
New Member

I am New bee. I tried to follow the above post and I am getting the error not a valid value for earliest (date's equivalent number -1 ) / latest (now-1w); Any help is appreciated.

0 Karma

lguinn2
Legend

Nope - this answer won't work!! Why? Because Splunk runs the inner search using the same info from the timerange picker as the outer search - so the data that you want has already been excluded by the time you get to the where command!

Here is a more general way of writing your search:

index=anyindex 
| eval label= "current" 
| timechart span=5m count by label
| appendcols [ search index=anyindex 
    | eval comparison="-1d" | eval label= "day ago" 
    | addinfo
    | eval earliest_time=relative_time(info_min_time,comparison) 
    | eval latest_time=relative_time(info_max_time,comparison) 
    | where _time>earliest_time and _time<=latest_time
    | timechart span=5m count by label ] 

Note the line | eval comparison="-1d" | eval label= "day ago". This is where the comparison range is set. If you were to make this into a form search, you would be able to add a drop-down that let someone pick a day, a week, etc. and substitute that value into the appropriate line.

0 Karma

dlee360
Explorer

@Ayn - I did, but I don't have the ability to add 3rd-party apps.

0 Karma

dlee360
Explorer

Pardon the poor search..I'm still a noob with this:
index=anyindex earliest=-60m latest=now | eval label= "current" | timechart span=5m count by label| appendcols [ search index=anyindex | eval earliest_time=relative_time(now(),"-60m-24h") | eval latest_time=if($range.latest$=="now",relative_time(now(),"-24h"),relative_time(now(),"$range.latest$-24h")) | where _time>earliest_time and _time<=latest_time | eval label= "day ago" | timechart span=5m count by label]

0 Karma

Ayn
Legend

If you want to compare results with other results from a while back, did you look into using the timewrap command? https://apps.splunk.com/app/1645/

0 Karma

lguinn2
Legend

Sounds interesting, but confusing... can we see the search?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...