Splunk Search
Highlighted

How to run different timerange in subsearch versus outer search?

Explorer

Hi,
I've been stuck on this for a bit and need some advice. I have it partially working, but I'm trying to figure out if there's a better way of achieving what I need. I'm using a timerangepicker and I'm getting the "now-x" error. So what I'm doing is comparing let's say the past 60 minutes vs the previous day vs the previous week in the same time period. The "current" needs to be dynamic so I can select let's say for the past 2 hours vs the past 2 hours from the previous day (and previous week). Currently, I'm using an eval to create the earliest and latest (for the subsearch) and then a where to filter out the time period. I would prefer to have the earliest and latest set globally as I have multiple dashboards that utilize comparing current w/ previous weeks..Any advice?

Tags (2)
Highlighted

Re: How to run different timerange in subsearch versus outer search?

Legend

Sounds interesting, but confusing... can we see the search?

0 Karma
Highlighted

Re: How to run different timerange in subsearch versus outer search?

Legend

If you want to compare results with other results from a while back, did you look into using the timewrap command? https://apps.splunk.com/app/1645/

0 Karma
Highlighted

Re: How to run different timerange in subsearch versus outer search?

Explorer

Pardon the poor search..I'm still a noob with this:
index=anyindex earliest=-60m latest=now | eval label= "current" | timechart span=5m count by label| appendcols [ search index=anyindex | eval earliesttime=relativetime(now(),"-60m-24h") | eval latesttime=if($range.latest$=="now",relativetime(now(),"-24h"),relativetime(now(),"$range.latest$-24h")) | where _time>earliesttime and time<=latesttime | eval label= "day ago" | timechart span=5m count by label]

0 Karma
Highlighted

Re: How to run different timerange in subsearch versus outer search?

Explorer

@Ayn - I did, but I don't have the ability to add 3rd-party apps.

0 Karma
Highlighted

Re: How to run different timerange in subsearch versus outer search?

Legend

Nope - this answer won't work!! Why? Because Splunk runs the inner search using the same info from the timerange picker as the outer search - so the data that you want has already been excluded by the time you get to the where command!

Here is a more general way of writing your search:

index=anyindex 
| eval label= "current" 
| timechart span=5m count by label
| appendcols [ search index=anyindex 
    | eval comparison="-1d" | eval label= "day ago" 
    | addinfo
    | eval earliest_time=relative_time(info_min_time,comparison) 
    | eval latest_time=relative_time(info_max_time,comparison) 
    | where _time>earliest_time and _time<=latest_time
    | timechart span=5m count by label ] 

Note the line | eval comparison="-1d" | eval label= "day ago". This is where the comparison range is set. If you were to make this into a form search, you would be able to add a drop-down that let someone pick a day, a week, etc. and substitute that value into the appropriate line.

0 Karma
Highlighted

Re: How to run different timerange in subsearch versus outer search?

Legend

Another brainstorm - If you want to do this as a form search, go to Settings -> User Interface -> Views. Create a new view, and copy/paste this into the box

<form>
  <label>Test</label>
      <searchTemplate> <![CDATA[ index=anyindex earliest=$search_time.earliest$ latest=$search_time.latest$
          | eval label= "Current"
          | timechart span=5m count by label
          | appendcols [ search index=*=anyindex earliest=$search_time.earliest$-$time_comparison$ latest=$search_time.latest$-$time_comparison$
              | addinfo
              | eval label = "From " + strftime(info_min_time,"%x %X") + " to " + strftime(info_max_time,"%x %X") 
              | timechart span=5m count by label ] ]]></searchTemplate>
    <fieldset>

      <input type="time" token="search_time" searchWhenChanged="false">
        <label>Search over</label>
        <default>
          <earliestTime>-1h@h</earliestTime>
          <latestTime>@h</latestTime>
        </default>
     </input>

     <input type="dropdown" token="time_comparison">
         <label>Compare with Previous</label>         
         <choice value="1h">Hour</choice>            
         <choice value="1d">Day</choice>
         <choice value="1w">Week</choice>
        <default>1h</default>
      </input>
    </fieldset>

  <row>
    <panel>
      <chart>
        <title>Comparison with previous $time_comparison$</title>
        <option name="charting.chart">line</option>
      </chart>
    </panel>
    </row>
    <row>
        <panel>
      <table>
        <title>Table of comparison with previous $time_comparison$</title>
        <option name="count">20</option>
      </table>
    </panel>
  </row>
</form>

Then try it out. The name of the view is Test, so that is probably what you should name it (so things don't get confusing).

0 Karma
Highlighted

Re: How to run different timerange in subsearch versus outer search?

New Member

I am New bee. I tried to follow the above post and I am getting the error not a valid value for earliest (date's equivalent number -1 ) / latest (now-1w); Any help is appreciated.

0 Karma
Highlighted

Re: How to run different timerange in subsearch versus outer search?

Legend

If you don't want to do a form search, you can explicitly set the time ranges that you want in the two searches:

index=anyindex earliest=-1h@h latest=@h
| eval label= "current" 
| timechart span=5m count by label
| appendcols [ search index=anyindex earliest=-2h@h latest=-1h@h
    | eval label= "hour ago" 
    | timechart span=5m count by label ]

This is the simplest answer, but the least flexible.

0 Karma
Highlighted

Re: How to run different timerange in subsearch versus outer search?

Explorer

Thanks! This is awesome...though, I still get the "now" error: Invalid value "now-1d" for time term 'latest'..I understand that setting time to @h or something fixes it, but I can't guarantee users won't select now. Is there a way around that?

Thanks again!! This is wonderful!

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.