Splunk Search

Invalid value "$earliest$" for time term 'earliest'

dataisbeautiful
Path Finder

Hi Splukers

I'm looking for cross compare some events with other system data, using an initial search for the event and then using map to load data from another index

 

index=event sourcetype=eventdat
| where like(details,"...")) 
| eval earliest=floor(_time), latest=ceil(_time+2)
| table _time details earliest latest
| map 
    [ search index=sys_stats sourcetype=statdat device="..." earliest=$earliest$ latest=$latest$
    | stats count as counter
    | eval details=$details$, earliest=$earliest$, latest=$latest$ 
    | table _time details counter earliest latest] maxsearches=10

 

 

When running I get the error:
Invalid value "$earliest$" for time term 'earliest'

I've tried $$ and "$...$" with no luck. I can't figure out why $earliest$ isn't being passed.

 

Any help would be appreciated (:

 

Notes: I've reviewed these posts but they don't seem relevant

https://community.splunk.com/t5/Splunk-Search/Invalid-value-X-for-time-term-earliest-but-only-for-sp...

https://community.splunk.com/t5/Splunk-Search/Invalid-value-quot-week-quot-for-time-term-earliest/m-...

 

Labels (1)
0 Karma
1 Solution

dataisbeautiful
Path Finder

I've been in touch with support, this is a known issue and there's no plan to fix.

There is a workaround that can be used:

 

| map [search index=_internal [| makeresults | eval earliest=$earliest$, latest=$latest$ | return earliest, latest]

 

 

It's a bit longer and needs another subsearch, but can be easier than escaping everything.

 

Thanks everyone for their input @PickleRick @richgalloway 

View solution in original post

dataisbeautiful
Path Finder

I've been in touch with support, this is a known issue and there's no plan to fix.

There is a workaround that can be used:

 

| map [search index=_internal [| makeresults | eval earliest=$earliest$, latest=$latest$ | return earliest, latest]

 

 

It's a bit longer and needs another subsearch, but can be easier than escaping everything.

 

Thanks everyone for their input @PickleRick @richgalloway 

dataisbeautiful
Path Finder
0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not that $earliest$ is not being passed, it's that the value being passed is invalid.  The value for the earliest option must be a time modifier ("-1d", for example) or a timestamp in the format %m/%d/%Y:%H:%M:%S.  It cannot be an epoch timestamp, but you can use strftime to convert an epoch into the expected format.

| eval earliest = strftime(earliest, "%m/%d/%Y:%H:%M:%S")

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

I beg to differ.

I've used earliest/latest with epoch timestamps many times.

0 Karma

dataisbeautiful
Path Finder

Agreed @PickleRick 

I've just done a test and epoch times work just fine with earliest and latest in a search. The formatting seems to be a red herring here.

0 Karma

dataisbeautiful
Path Finder

Hi @richgalloway 

Thanks for the tip, I've updated my query

 

 

index=event sourcetype=eventdat
| where like(details,"...")) 
| eval earliest=strftime(floor(_time), "%m/%d/%Y:%H:%M:%S"), latest=strftime(ceil(_time+2), "%m/%d/%Y:%H:%M:%S")
| table _time details earliest latest
| map 
    [ search index=sys_stats sourcetype=statdat device="..." earliest=$earliest$ latest=$latest$
    | stats count as counter
    | eval details=$details$, earliest="$earliest$", latest="$latest$" 
    | table _time details counter earliest latest] maxsearches=10

 

 

It's still throwing the error

Invalid value "$earliest$" for time term 'earliest' 

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I see another syntax error.  The map command expects its search string to be in quotation marks rather than as a subsearch.  The $earliest$ form doesn't work in subsearches (except in a dashboard).

 

index=event sourcetype=eventdat
| where like(details,"...")) 
| eval earliest=strftime(floor(_time), "%m/%d/%Y:%H:%M:%S"), latest=strftime(ceil(_time+2), "%m/%d/%Y:%H:%M:%S")
| table _time details earliest latest
| map maxsearches=10
    search = "index=sys_stats sourcetype=statdat device="..." earliest=$earliest$ latest=$latest$
    | stats count as counter
    | eval details=$details$, earliest=\"$earliest$\", latest=\"$latest$\" 
    | table _time details counter earliest latest"

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

dataisbeautiful
Path Finder

Hmm, the documentation says map can use a subsearch

3. Use the map command with a subsearch
For complex ad hoc searches, use a subsearch for your map search

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map#Basic_examples

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I can't say I've seen that form used in the wild.

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

It's not very common but it lets you avoid escaping yourself to death 😉

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...