Splunk Search

How to use the earliest and latest date in Metadata, metasearch, and tstats command?

rakeshksingh
New Member

I was wondering whether Splunk supports earliest and latest date in Metadata, metasearch, and tstats command?

I tried to check all the sites but couldn't find it.

How to use multiple metadata OR metasearch OR tstats command in a single search with different time ranges?

Could anyone please help me on this?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The regular search, tstats search and metasearch uses time range so they support earliest and latest, either though time range picker or inline in the search.

The metadata command on other hand, uses time range picker for time ranges but there is a glitch. It doesn't limit the metadata counts by just the events included in time range, rather it give results based on buckets included in give time range, so it's highly inaccurate for time ranges other than All times. See this documentation section for great explanation for the same.
http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Metadata#Time_ranges

rakeshksingh
New Member

Thanks SomeSoni for your suggestion

But I was looking to append two metadata command with same search pattern but different time range as first search will be 48 hours ago and another will be 24 hours ago.

Something like this

|metadata type=sourcetypes earliest=-48h latest=-24h |append[|metadata type=sourcetypes earliest=-24h latest=-0h]

If you can help me on this that would be grateful.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Use the tstats for that, as I (and that link) indicate that counts will be accurate for time ranges other than All Times.

| tstats count as totalEvents max(_time) as lastTime min(_time) as firstTime WHERE index=* earliest=-48h latest=-24h by sourcetype 
| append [| tstats count as totalEvents max(_time) as lastTime min(_time) as firstTime WHERE index=* earliest=-24h latest=-0h by sourcetype ]
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...