Splunk Search

Latest + add 1 hour

Eogs
Explorer

Hello splunk users,

I have a search string with earliest defined and i want to define latest as "latest=earliest+1H". But how can i do that?

Tags (3)

gkanapathy
Splunk Employee
Splunk Employee

How are you getting the "earliest" time set?

0 Karma

dwaddle
SplunkTrust
SplunkTrust

This is not pretty at all, but does seem to work. I'll be honest, I only marginally understand how it does work.

[ search earliest=-2h@h 
| addinfo 
| head 1 
| eval earliest=info_min_time
| eval latest=info_min_time+3600
| fields earliest,latest 
| format "(" "(" "" ")" "OR" ")" ] 
the rest of your search

The subsearch (basically, if I understand it right) recomputes earliest and latest for the outer search based on the info_min_time provided by addinfo in the outer search.

This is quite admittedly an ugly, hackish solution. I hope that someone can provide a more elegant one.

sk314
Builder

This is so awesome. Worked perfectly.

0 Karma

marcoscala
Builder

I tried for a similar problem and it worked!
Great!

Marco

0 Karma

dwaddle
SplunkTrust
SplunkTrust

So earliest and latest understand time_t directly? Did not get that from the docs (but did not try it). Sweet!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You don't need the strftime() function, just eval earliest=info_min_time and eval earliest=info_min_time+3600 will be fine. The format command is fine, but it would be more generally accurate to use format "(" "(" "" ")" "OR" ")" instead.

Eogs
Explorer

But when i write my searchstring is it possible to write something like index="summary" earliest="07/18/2011:09:00:00" latest=startime+1h ???

0 Karma

fk319
Builder
0 Karma

Splunkster45
Communicator

I had the same question and searchtimespanminutes worked for me. It's concise and easy to use. I wish this was an answer I could upvote!

0 Karma

fk319
Builder

Refer to example 2 of chain

0 Karma

fk319
Builder

under the search option you have earlist and latest time

you can "chain" times

I am not sure how you are specifing your start time, but the end time would be (<starttime>+h)

probably not the answer you are looking for, but I am hoping it is a baby step.

0 Karma

Eogs
Explorer

Yeah, but my earliest could be something like earliest="07/18/2011:09:00:00" and then latest should be latest="07/18/2011:10:00:00". But i don´t want latest to be static, i want it to be defined from earliest time. Is that posible? maybe i can use eval or strptime?

kenchisho
Path Finder

Assuming your earliest timeis a relative earliest easiest would be to say something like

earliest=-2h

latest=-1h

That would grab events from 2 hours ago to 1 hour ago.

hope that helps

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...