Splunk Search

How to structure search for dynamic earliest latest

ohlafl
Communicator

I have a search query that begins like this:

index=someData earliest=08/06/2015:10:00:00 latest=08/06/2015:21:00:00... rest of search. 

I need to set the date of earliest and latest as dates of today and if I've understood it correctly I should be able to convert the now value to epoch time but then I need to use eval and that is not possible(?) within the first search pipe, how should I structure the search so that I can do this effectively?

Edit: I should mention that I cannot use any d@d or similar as I use the search in an overlay comparing results for two days and this will mess up the timeline.

1 Solution

dwaddle
SplunkTrust
SplunkTrust

I don't follow your use case entirely, but you can use a subsearch to emit earliest and latest. See http://answers.splunk.com/answers/65255/returning-time-from-subsearch-to-main-search.html

HOWEVER, looking at your use case in the reply below you can probably accomplish the same with relative time trickery, something like:

earliest=@d+10h  latest=@d+17h  <rest of search>

The "additive/subtractive" modifiers on the relative time operators are a great way of getting to a particular point in time. You can add to them in nearly arbitrarily complex ways too.

earliest=-1d@d+10h+32m  latest=@d-15h+30m

Or other such tomfoolery. Perhaps this is more like what you're trying to do?

Also also, if you are doing day-over-day comparisons or other such things, you should know about the timewrap app. https://splunkbase.splunk.com/app/1645/#/overview

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

I don't follow your use case entirely, but you can use a subsearch to emit earliest and latest. See http://answers.splunk.com/answers/65255/returning-time-from-subsearch-to-main-search.html

HOWEVER, looking at your use case in the reply below you can probably accomplish the same with relative time trickery, something like:

earliest=@d+10h  latest=@d+17h  <rest of search>

The "additive/subtractive" modifiers on the relative time operators are a great way of getting to a particular point in time. You can add to them in nearly arbitrarily complex ways too.

earliest=-1d@d+10h+32m  latest=@d-15h+30m

Or other such tomfoolery. Perhaps this is more like what you're trying to do?

Also also, if you are doing day-over-day comparisons or other such things, you should know about the timewrap app. https://splunkbase.splunk.com/app/1645/#/overview

sharan928
Engager

If we are using macros for earliest and latest, this approach of adding time would not work. We need to create a subsearch.

0 Karma

acharlieh
Influencer

The @dwaddle solution applied:

index=someData [noop|stats count|fields|eval earliest=relative_time(now(),"@d+10h")|eval latest=relative_time(now(),"@d+21h")| convert timeformat="%m/%d/%Y:%T" ctime(*)| format "" "" "" "" "" ""] ... rest of search

ohlafl
Communicator

Thank you both, this worked perfectly.

0 Karma

ohlafl
Communicator

I undestand, a bit difficult to explain, what I basically want to do is to replace earliest and latest with the date of the day that the search is perform, i.e "today" in the format of MM/DD/YYYY:XX:00:00 (where X is a fixed time), sort of like:

index=someData earliest="get.todaysDate":10:00:00 latest="get.todaysDate":21:00:00

0 Karma

dwaddle
SplunkTrust
SplunkTrust

OH! Well that is perhaps even easier! Let me update the answer with the "right way" 🙂

Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...