Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- If statement for earliest time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search that needs to either snap to 7am ( -7h@d+7h) or 7pm ( -7h@d+19h) depending on whether the time of search ( now()) is between 7am-7pm or 7pm-7am. For example, if it is 8:30am, I need to see my search using earliest=-7h@d+7h, but if it is 21:15, I need see my search using earliest=-7h@d+19h.
I tried the following if statement, but it doesn't work.
earliest=if(now()>="-7h@d+7h" AND now()<"-7h@d+19h", "-7h@d+7h", "-7h@d+19h")
This is for an embedded report, so I wasn't thinking I could use any XML or tokens.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| makeresults
| eval earliest=if(now()<=relative_time(now(),"-7h@d+7h") AND now()>=relative_time(now(),"-7h@d+19h"),"-7h@d+7h", "-7h@d+19h")
| map search="search earliest=$earliest Your Search Here"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
| makeresults
| eval earliest=if(now()<=relative_time(now(),"-7h@d+7h") AND now()>=relative_time(now(),"-7h@d+19h"),"-7h@d+7h", "-7h@d+19h")
| map search="search earliest=$earliest Your Search Here"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some minor typos, but otherwise this works. Thank you!
| makeresults
| eval earliest=if(now()>=relative_time(now(),"-7h@d+7h") AND now()<relative_time(now(),"-7h@d+19h"),"-7h@d+7h", "-7h@d+19h")
| map search="search earliest=$earliest$ Your Search Here"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bonus question - how do I escape quotes without using XML (this code is going in a macro)?
My map search pipe needs to look like this:
| map search = "search earliest=$earliest$ index=my_index Process="Thing & Thing" Parameter=my_parameter"
I've determined that the quotes around "Thing & Thing" are messing up the search string.
My workaround is to add another line below map search with
| search Process="Thing & Thing"
but this seems really kludgy.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can escape by using ... \"Thing & Thing\" ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To handle that in search itself, you need to override earliest using subsearch, like this
your base search [| gentimes start=-1 | eval earliest=if(now()<=relative_time(now(),"-7h@d+7h") AND now()>=relative_time(now(),"-7h@d+19h"),"-7h@d+7h", "-7h@d+19h") | table earliest ] ...| rest of the search
I've used the relative time modifier from your question, so check if that's giving you correct values.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
