Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to structure search for dynamic earliest latest

ohlafl
Communicator
‎08-06-2015 05:00 AM

I have a search query that begins like this:

index=someData earliest=08/06/2015:10:00:00 latest=08/06/2015:21:00:00... rest of search.

I need to set the date of earliest and latest as dates of today and if I've understood it correctly I should be able to convert the now value to epoch time but then I need to use eval and that is not possible(?) within the first search pipe, how should I structure the search so that I can do this effectively?

Edit: I should mention that I cannot use any d@d or similar as I use the search in an overlay comparing results for two days and this will mess up the timeline.

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎08-06-2015 05:32 AM

I don't follow your use case entirely, but you can use a subsearch to emit earliest and latest. See http://answers.splunk.com/answers/65255/returning-time-from-subsearch-to-main-search.html

HOWEVER, looking at your use case in the reply below you can probably accomplish the same with relative time trickery, something like:

earliest=@d+10h  latest=@d+17h  <rest of search>

The "additive/subtractive" modifiers on the relative time operators are a great way of getting to a particular point in time. You can add to them in nearly arbitrarily complex ways too.

earliest=-1d@d+10h+32m  latest=@d-15h+30m

Or other such tomfoolery. Perhaps this is more like what you're trying to do?

Also also, if you are doing day-over-day comparisons or other such things, you should know about the timewrap app. https://splunkbase.splunk.com/app/1645/#/overview

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎08-06-2015 05:32 AM

I don't follow your use case entirely, but you can use a subsearch to emit earliest and latest. See http://answers.splunk.com/answers/65255/returning-time-from-subsearch-to-main-search.html

HOWEVER, looking at your use case in the reply below you can probably accomplish the same with relative time trickery, something like:

earliest=@d+10h  latest=@d+17h  <rest of search>

The "additive/subtractive" modifiers on the relative time operators are a great way of getting to a particular point in time. You can add to them in nearly arbitrarily complex ways too.

earliest=-1d@d+10h+32m  latest=@d-15h+30m

Or other such tomfoolery. Perhaps this is more like what you're trying to do?

Also also, if you are doing day-over-day comparisons or other such things, you should know about the timewrap app. https://splunkbase.splunk.com/app/1645/#/overview

Reply
Solved! Jump to solution

sharan928
Engager
‎11-30-2016 11:28 AM

If we are using macros for earliest and latest, this approach of adding time would not work. We need to create a subsearch.

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎08-06-2015 06:08 AM

The @dwaddle solution applied: 

index=someData [noop|stats count|fields|eval earliest=relative_time(now(),"@d+10h")|eval latest=relative_time(now(),"@d+21h")| convert timeformat="%m/%d/%Y:%T" ctime(*)| format "" "" "" "" "" ""] ... rest of search
Reply
Solved! Jump to solution

ohlafl
Communicator
‎08-06-2015 06:37 AM

Thank you both, this worked perfectly.

0 Karma
Reply
Solved! Jump to solution

ohlafl
Communicator
‎08-06-2015 05:55 AM

I undestand, a bit difficult to explain, what I basically want to do is to replace earliest and latest with the date of the day that the search is perform, i.e "today" in the format of MM/DD/YYYY:XX:00:00 (where X is a fixed time), sort of like:

index=someData earliest="get.todaysDate":10:00:00 latest="get.todaysDate":21:00:00

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎08-06-2015 06:31 AM

OH! Well that is perhaps even easier! Let me update the answer with the "right way" 🙂

Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...