Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Problem in time query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem in time query
Hello everyone,
i have this search that uses time range picker and my specific time range is 01/07/2018 to 01/13/2018, and i have a subsearch that time range should be equivalent to the past 4 weeks in my first search query which should be 12/10/2017 to 01/06/2018 .
my problem is i don't know how to get those values and use it in my subsearch's time range (earlist and latest) .
this is PART of my query, please provide me some example on how to solve this problem.
index="lrt_raw" DEVICE_ID=T*
|dedup _raw
|stats sum(TXN_AMT) as "SJT" by date_wday
|join type=inner date_wday [search index=rms report_id=0153A earliest=-28d@d latest=-8d@m
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ygdrassil, please try the the following run anywhere dashboard which uses a dummy search to pick the selected Time input's Earliest Time using predefined search token $job.earliestTime$ (in string time format) and uses <eval> with relative_time and strptime to get earliest time ($subSearchEarliest$) for sub search as the current day 4 weeks ago -4w@d (if you need start of week 4 weeks ago it would be -4w@0w) and for latest time ($subSearchLatest$) select previous day based on earliest time using -1d@d. Please try the run anywhere dashboard and confirm.
<form>
<label>Time for subsearch from same timepicker</label>
<search>
<query>| makeresults
</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<progress>
<eval token="subSearchEarliest">relative_time(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S"),"-4w@w0")</eval>
<eval token="subSearchLatest">relative_time(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S"),"-1d@d")</eval>
</progress>
</search>
<fieldset submitButton="false">
<input type="time" token="tokTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype=splunkd earliest=$subSearchEarliest$ latest="$subSearchLatest$"
| stats count by log_level
| append [|makeresults| fields - _time| eval log_level="INFO",count=0]
| dedup log_level
| eval subSearchEarliestTime=strftime($subSearchEarliest$,"%Y/%m/%d %H:%M:%S"), subLatestTime=strftime($subSearchLatest$,"%Y/%m/%d %H:%M:%S")</query>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">0</option>
</table>
</panel>
</row>
</form>
PS: Commands | append [|makeresults| fields - _time| eval log_level="INFO",count=0] | dedup log_level have been added to return at least one row for the demo query to run in case there is no data in _internal index from 4 weeks ago.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try using epoch time. Also in time picker select all time so it will not affect you custom query time:
index="lrt_raw" DEVICE_ID=T*
earliest=1515263400 latest=1515868200
|dedup _raw
|stats sum(TXN_AMT) as "SJT" by date_wday
|join type=inner date_wday [search index=rms report_id=0153A earliest=1507746600 latest= 1515263399]
Your Guide to Splunk Digital Experience Monitoring
Data Management Digest – November 2025
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
