Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Problem in time query

ygdrassil
Engager
‎04-15-2018 11:28 PM

Hello everyone,

i have this search that uses time range picker and my specific time range is 01/07/2018 to 01/13/2018, and i have a subsearch that time range should be equivalent to the past 4 weeks in my first search query which should be 12/10/2017 to 01/06/2018 .

my problem is i don't know how to get those values and use it in my subsearch's time range (earlist and latest) .

this is PART of my query, please provide me some example on how to solve this problem.

index="lrt_raw" DEVICE_ID=T*
|dedup _raw
|stats sum(TXN_AMT) as "SJT" by date_wday

|join type=inner date_wday [search index=rms report_id=0153A earliest=-28d@d latest=-8d@m

Tags (1)
0 Karma
Reply

niketn
Legend
‎04-18-2018 04:25 AM

@ygdrassil, please try the the following run anywhere dashboard which uses a dummy search to pick the selected Time input's Earliest Time using predefined search token $job.earliestTime$ (in string time format) and uses <eval> with relative_time and strptime to get earliest time ($subSearchEarliest$) for sub search as the current day 4 weeks ago -4w@d (if you need start of week 4 weeks ago it would be -4w@0w) and for latest time ($subSearchLatest$) select previous day based on earliest time using -1d@d. Please try the run anywhere dashboard and confirm.

<form>
  <label>Time for subsearch from same timepicker</label>
  <search>
    <query>| makeresults
    </query>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
    <progress>
      <eval token="subSearchEarliest">relative_time(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S"),"-4w@w0")</eval>
      <eval token="subSearchLatest">relative_time(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S"),"-1d@d")</eval>
    </progress>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd earliest=$subSearchEarliest$ latest="$subSearchLatest$"
          | stats count by log_level
          | append [|makeresults| fields - _time| eval log_level="INFO",count=0] 
          | dedup log_level
          | eval subSearchEarliestTime=strftime($subSearchEarliest$,"%Y/%m/%d %H:%M:%S"), subLatestTime=strftime($subSearchLatest$,"%Y/%m/%d %H:%M:%S")</query>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">0</option>
      </table>
    </panel>
  </row>
</form>

PS: Commands | append [|makeresults| fields - _time| eval log_level="INFO",count=0] | dedup log_level have been added to return at least one row for the demo query to run in case there is no data in _internal index from 4 weeks ago.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

p_gurav
Champion
‎04-17-2018 09:38 PM

Can you try using epoch time. Also in time picker select all time so it will not affect you custom query time:

index="lrt_raw" DEVICE_ID=T* 
earliest=1515263400  latest=1515868200 
|dedup _raw
|stats sum(TXN_AMT) as "SJT" by date_wday
|join type=inner date_wday [search index=rms report_id=0153A earliest=1507746600 latest= 1515263399]
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...