Latest + add 1 hour

Eogs · ‎07-19-2011

Hello splunk users,

I have a search string with earliest defined and i want to define latest as "latest=earliest+1H". But how can i do that?

gkanapathy · ‎07-19-2011

How are you getting the "earliest" time set?

dwaddle · ‎07-19-2011

This is not pretty at all, but does seem to work. I'll be honest, I only marginally understand how it does work.

[ search earliest=-2h@h 
| addinfo 
| head 1 
| eval earliest=info_min_time
| eval latest=info_min_time+3600
| fields earliest,latest 
| format "(" "(" "" ")" "OR" ")" ] 
the rest of your search

The subsearch (basically, if I understand it right) recomputes earliest and latest for the outer search based on the info_min_time provided by addinfo in the outer search.

This is quite admittedly an ugly, hackish solution. I hope that someone can provide a more elegant one.

sk314 · ‎05-11-2016

This is so awesome. Worked perfectly.

marcoscala · ‎05-15-2014

I tried for a similar problem and it worked!
Great!

Marco

dwaddle · ‎07-20-2011

So earliest and latest understand time_t directly? Did not get that from the docs (but did not try it). Sweet!

gkanapathy · ‎07-19-2011

You don't need the strftime() function, just eval earliest=info_min_time and eval earliest=info_min_time+3600 will be fine. The format command is fine, but it would be more generally accurate to use format "(" "(" "" ")" "OR" ")" instead.

Eogs · ‎07-19-2011

But when i write my searchstring is it possible to write something like index="summary" earliest="07/18/2011:09:00:00" latest=startime+1h ???

fk319 · ‎07-20-2011

you also have the option of "searchtimespanminutes"

http://www.splunk.com/base/Documentation/4.1.5/SearchReference/SearchTimeModifiers#List_of_time_modi...

Splunkster45 · ‎04-27-2015

I had the same question and searchtimespanminutes worked for me. It's concise and easy to use. I wish this was an answer I could upvote!

fk319 · ‎07-20-2011

Refer to example 2 of chain

fk319 · ‎07-19-2011

under the search option you have earlist and latest time

you can "chain" times

I am not sure how you are specifing your start time, but the end time would be (<starttime>+h)

probably not the answer you are looking for, but I am hoping it is a baby step.

Eogs · ‎07-19-2011

Yeah, but my earliest could be something like earliest="07/18/2011:09:00:00" and then latest should be latest="07/18/2011:10:00:00". But i don´t want latest to be static, i want it to be defined from earliest time. Is that posible? maybe i can use eval or strptime?

kenchisho · ‎07-19-2011

Assuming your earliest timeis a relative earliest easiest would be to say something like

earliest=-2h

latest=-1h

That would grab events from 2 hours ago to 1 hour ago.

hope that helps

Latest + add 1 hour

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

Latest + add 1 hour

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability