Splunk Search

Latest + add 1 hour

Eogs
Explorer

Hello splunk users,

I have a search string with earliest defined and i want to define latest as "latest=earliest+1H". But how can i do that?

Tags (3)

gkanapathy
Splunk Employee
Splunk Employee

How are you getting the "earliest" time set?

0 Karma

dwaddle
SplunkTrust
SplunkTrust

This is not pretty at all, but does seem to work. I'll be honest, I only marginally understand how it does work.

[ search earliest=-2h@h 
| addinfo 
| head 1 
| eval earliest=info_min_time
| eval latest=info_min_time+3600
| fields earliest,latest 
| format "(" "(" "" ")" "OR" ")" ] 
the rest of your search

The subsearch (basically, if I understand it right) recomputes earliest and latest for the outer search based on the info_min_time provided by addinfo in the outer search.

This is quite admittedly an ugly, hackish solution. I hope that someone can provide a more elegant one.

sk314
Builder

This is so awesome. Worked perfectly.

0 Karma

marcoscala
Builder

I tried for a similar problem and it worked!
Great!

Marco

0 Karma

dwaddle
SplunkTrust
SplunkTrust

So earliest and latest understand time_t directly? Did not get that from the docs (but did not try it). Sweet!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You don't need the strftime() function, just eval earliest=info_min_time and eval earliest=info_min_time+3600 will be fine. The format command is fine, but it would be more generally accurate to use format "(" "(" "" ")" "OR" ")" instead.

Eogs
Explorer

But when i write my searchstring is it possible to write something like index="summary" earliest="07/18/2011:09:00:00" latest=startime+1h ???

0 Karma

fk319
Builder
0 Karma

Splunkster45
Communicator

I had the same question and searchtimespanminutes worked for me. It's concise and easy to use. I wish this was an answer I could upvote!

0 Karma

fk319
Builder

Refer to example 2 of chain

0 Karma

fk319
Builder

under the search option you have earlist and latest time

you can "chain" times

I am not sure how you are specifing your start time, but the end time would be (<starttime>+h)

probably not the answer you are looking for, but I am hoping it is a baby step.

0 Karma

Eogs
Explorer

Yeah, but my earliest could be something like earliest="07/18/2011:09:00:00" and then latest should be latest="07/18/2011:10:00:00". But i don´t want latest to be static, i want it to be defined from earliest time. Is that posible? maybe i can use eval or strptime?

kenchisho
Path Finder

Assuming your earliest timeis a relative earliest easiest would be to say something like

earliest=-2h

latest=-1h

That would grab events from 2 hours ago to 1 hour ago.

hope that helps

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.