Splunk Search

How to structure search for dynamic earliest latest

ohlafl
Communicator

I have a search query that begins like this:

index=someData earliest=08/06/2015:10:00:00 latest=08/06/2015:21:00:00... rest of search. 

I need to set the date of earliest and latest as dates of today and if I've understood it correctly I should be able to convert the now value to epoch time but then I need to use eval and that is not possible(?) within the first search pipe, how should I structure the search so that I can do this effectively?

Edit: I should mention that I cannot use any d@d or similar as I use the search in an overlay comparing results for two days and this will mess up the timeline.

1 Solution

dwaddle
SplunkTrust
SplunkTrust

I don't follow your use case entirely, but you can use a subsearch to emit earliest and latest. See http://answers.splunk.com/answers/65255/returning-time-from-subsearch-to-main-search.html

HOWEVER, looking at your use case in the reply below you can probably accomplish the same with relative time trickery, something like:

earliest=@d+10h  latest=@d+17h  <rest of search>

The "additive/subtractive" modifiers on the relative time operators are a great way of getting to a particular point in time. You can add to them in nearly arbitrarily complex ways too.

earliest=-1d@d+10h+32m  latest=@d-15h+30m

Or other such tomfoolery. Perhaps this is more like what you're trying to do?

Also also, if you are doing day-over-day comparisons or other such things, you should know about the timewrap app. https://splunkbase.splunk.com/app/1645/#/overview

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

I don't follow your use case entirely, but you can use a subsearch to emit earliest and latest. See http://answers.splunk.com/answers/65255/returning-time-from-subsearch-to-main-search.html

HOWEVER, looking at your use case in the reply below you can probably accomplish the same with relative time trickery, something like:

earliest=@d+10h  latest=@d+17h  <rest of search>

The "additive/subtractive" modifiers on the relative time operators are a great way of getting to a particular point in time. You can add to them in nearly arbitrarily complex ways too.

earliest=-1d@d+10h+32m  latest=@d-15h+30m

Or other such tomfoolery. Perhaps this is more like what you're trying to do?

Also also, if you are doing day-over-day comparisons or other such things, you should know about the timewrap app. https://splunkbase.splunk.com/app/1645/#/overview

sharan928
Engager

If we are using macros for earliest and latest, this approach of adding time would not work. We need to create a subsearch.

0 Karma

acharlieh
Influencer

The @dwaddle solution applied:

index=someData [noop|stats count|fields|eval earliest=relative_time(now(),"@d+10h")|eval latest=relative_time(now(),"@d+21h")| convert timeformat="%m/%d/%Y:%T" ctime(*)| format "" "" "" "" "" ""] ... rest of search

ohlafl
Communicator

Thank you both, this worked perfectly.

0 Karma

ohlafl
Communicator

I undestand, a bit difficult to explain, what I basically want to do is to replace earliest and latest with the date of the day that the search is perform, i.e "today" in the format of MM/DD/YYYY:XX:00:00 (where X is a fixed time), sort of like:

index=someData earliest="get.todaysDate":10:00:00 latest="get.todaysDate":21:00:00

0 Karma

dwaddle
SplunkTrust
SplunkTrust

OH! Well that is perhaps even easier! Let me update the answer with the "right way" 🙂

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...