Splunk Search
Highlighted

Latest + add 1 hour

Explorer

Hello splunk users,

I have a search string with earliest defined and i want to define latest as "latest=earliest+1H". But how can i do that?

Tags (3)
Highlighted

Re: Latest + add 1 hour

Path Finder

Assuming your earliest timeis a relative earliest easiest would be to say something like

earliest=-2h

latest=-1h

That would grab events from 2 hours ago to 1 hour ago.

hope that helps

0 Karma
Highlighted

Re: Latest + add 1 hour

Explorer

Yeah, but my earliest could be something like earliest="07/18/2011:09:00:00" and then latest should be latest="07/18/2011:10:00:00". But i don´t want latest to be static, i want it to be defined from earliest time. Is that posible? maybe i can use eval or strptime?

Highlighted

Re: Latest + add 1 hour

Contributor

under the search option you have earlist and latest time

you can "chain" times

I am not sure how you are specifing your start time, but the end time would be (<starttime>+h)

probably not the answer you are looking for, but I am hoping it is a baby step.

0 Karma
Highlighted

Re: Latest + add 1 hour

Explorer

But when i write my searchstring is it possible to write something like index="summary" earliest="07/18/2011:09:00:00" latest=startime+1h ???

0 Karma
Highlighted

Re: Latest + add 1 hour

Contributor

Refer to example 2 of chain

0 Karma
Highlighted

Re: Latest + add 1 hour

Contributor
0 Karma
Highlighted

Re: Latest + add 1 hour

Communicator

I had the same question and searchtimespanminutes worked for me. It's concise and easy to use. I wish this was an answer I could upvote!

0 Karma
Highlighted

Re: Latest + add 1 hour

SplunkTrust
SplunkTrust

This is not pretty at all, but does seem to work. I'll be honest, I only marginally understand how it does work.

[ search earliest=-2h@h 
| addinfo 
| head 1 
| eval earliest=info_min_time
| eval latest=info_min_time+3600
| fields earliest,latest 
| format "(" "(" "" ")" "OR" ")" ] 
the rest of your search

The subsearch (basically, if I understand it right) recomputes earliest and latest for the outer search based on the info_min_time provided by addinfo in the outer search.

This is quite admittedly an ugly, hackish solution. I hope that someone can provide a more elegant one.

Highlighted

Re: Latest + add 1 hour

Legend

You don't need the strftime() function, just eval earliest=info_min_time and eval earliest=info_min_time+3600 will be fine. The format command is fine, but it would be more generally accurate to use format "(" "(" "" ")" "OR" ")" instead.