Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Invalid value "$earliest$" for time term 'earliest'

dataisbeautiful
Path Finder
‎07-31-2024 03:41 AM

Hi Splukers

I'm looking for cross compare some events with other system data, using an initial search for the event and then using map to load data from another index

 

index=event sourcetype=eventdat
| where like(details,"...")) 
| eval earliest=floor(_time), latest=ceil(_time+2)
| table _time details earliest latest
| map 
    [ search index=sys_stats sourcetype=statdat device="..." earliest=$earliest$ latest=$latest$
    | stats count as counter
    | eval details=$details$, earliest=$earliest$, latest=$latest$ 
    | table _time details counter earliest latest] maxsearches=10

 

 

When running I get the error:
Invalid value "$earliest$" for time term 'earliest'

I've tried $$ and "$...$" with no luck. I can't figure out why $earliest$ isn't being passed.

 

Any help would be appreciated (:

 

Notes: I've reviewed these posts but they don't seem relevant

https://community.splunk.com/t5/Splunk-Search/Invalid-value-X-for-time-term-earliest-but-only-for-sp...

https://community.splunk.com/t5/Splunk-Search/Invalid-value-quot-week-quot-for-time-term-earliest/m-...

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dataisbeautiful
Path Finder
4 weeks ago

I've been in touch with support, this is a known issue and there's no plan to fix.

There is a workaround that can be used:

 

| map [search index=_internal [| makeresults | eval earliest=$earliest$, latest=$latest$ | return earliest, latest]

 

 

It's a bit longer and needs another subsearch, but can be easier than escaping everything.

 

Thanks everyone for their input @PickleRick @richgalloway 

View solution in original post

Reply
Solved! Jump to solution
Solution

dataisbeautiful
Path Finder
4 weeks ago

I've been in touch with support, this is a known issue and there's no plan to fix.

There is a workaround that can be used:

 

| map [search index=_internal [| makeresults | eval earliest=$earliest$, latest=$latest$ | return earliest, latest]

 

 

It's a bit longer and needs another subsearch, but can be easier than escaping everything.

 

Thanks everyone for their input @PickleRick @richgalloway 

Reply
Solved! Jump to solution

dataisbeautiful
Path Finder
‎08-01-2024 08:03 AM

Some more digging, this seems to be the same issue:

https://community.splunk.com/t5/Splunk-Search/Having-a-problem-substituting-value-for-earliest-in-a-...

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2024 05:25 AM

It's not that $earliest$ is not being passed, it's that the value being passed is invalid.  The value for the earliest option must be a time modifier ("-1d", for example) or a timestamp in the format %m/%d/%Y:%H:%M:%S.  It cannot be an epoch timestamp, but you can use strftime to convert an epoch into the expected format.

| eval earliest = strftime(earliest, "%m/%d/%Y:%H:%M:%S")

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-31-2024 07:55 AM

I beg to differ.

I've used earliest/latest with epoch timestamps many times.

0 Karma
Reply
Solved! Jump to solution

dataisbeautiful
Path Finder
‎07-31-2024 07:58 AM

Agreed @PickleRick 

I've just done a test and epoch times work just fine with earliest and latest in a search. The formatting seems to be a red herring here.

0 Karma
Reply
Solved! Jump to solution

dataisbeautiful
Path Finder
‎07-31-2024 06:45 AM

Hi @richgalloway 

Thanks for the tip, I've updated my query

 

 

index=event sourcetype=eventdat
| where like(details,"...")) 
| eval earliest=strftime(floor(_time), "%m/%d/%Y:%H:%M:%S"), latest=strftime(ceil(_time+2), "%m/%d/%Y:%H:%M:%S")
| table _time details earliest latest
| map 
    [ search index=sys_stats sourcetype=statdat device="..." earliest=$earliest$ latest=$latest$
    | stats count as counter
    | eval details=$details$, earliest="$earliest$", latest="$latest$" 
    | table _time details counter earliest latest] maxsearches=10

 

 

It's still throwing the error

Invalid value "$earliest$" for time term 'earliest' 

 

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2024 07:10 AM

I see another syntax error.  The map command expects its search string to be in quotation marks rather than as a subsearch.  The $earliest$ form doesn't work in subsearches (except in a dashboard).

 

index=event sourcetype=eventdat
| where like(details,"...")) 
| eval earliest=strftime(floor(_time), "%m/%d/%Y:%H:%M:%S"), latest=strftime(ceil(_time+2), "%m/%d/%Y:%H:%M:%S")
| table _time details earliest latest
| map maxsearches=10
    search = "index=sys_stats sourcetype=statdat device="..." earliest=$earliest$ latest=$latest$
    | stats count as counter
    | eval details=$details$, earliest=\"$earliest$\", latest=\"$latest$\" 
    | table _time details counter earliest latest"

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

dataisbeautiful
Path Finder
‎07-31-2024 07:15 AM

Hmm, the documentation says map can use a subsearch

3. Use the map command with a subsearch
For complex ad hoc searches, use a subsearch for your map search

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map#Basic_examples

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-31-2024 07:38 AM

I can't say I've seen that form used in the wild.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-31-2024 09:52 AM

It's not very common but it lets you avoid escaping yourself to death 😉

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...