Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Problem in time query

ygdrassil
Engager
‎04-15-2018 11:28 PM

Hello everyone,

i have this search that uses time range picker and my specific time range is 01/07/2018 to 01/13/2018, and i have a subsearch that time range should be equivalent to the past 4 weeks in my first search query which should be 12/10/2017 to 01/06/2018 .

my problem is i don't know how to get those values and use it in my subsearch's time range (earlist and latest) .

this is PART of my query, please provide me some example on how to solve this problem.

index="lrt_raw" DEVICE_ID=T*
|dedup _raw
|stats sum(TXN_AMT) as "SJT" by date_wday

|join type=inner date_wday [search index=rms report_id=0153A earliest=-28d@d latest=-8d@m

Tags (1)
0 Karma
Reply

niketn
Legend
‎04-18-2018 04:25 AM

@ygdrassil, please try the the following run anywhere dashboard which uses a dummy search to pick the selected Time input's Earliest Time using predefined search token $job.earliestTime$ (in string time format) and uses <eval> with relative_time and strptime to get earliest time ($subSearchEarliest$) for sub search as the current day 4 weeks ago -4w@d (if you need start of week 4 weeks ago it would be -4w@0w) and for latest time ($subSearchLatest$) select previous day based on earliest time using -1d@d. Please try the run anywhere dashboard and confirm.

<form>
  <label>Time for subsearch from same timepicker</label>
  <search>
    <query>| makeresults
    </query>
    <earliest>$tokTime.earliest$</earliest>
    <latest>$tokTime.latest$</latest>
    <progress>
      <eval token="subSearchEarliest">relative_time(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S"),"-4w@w0")</eval>
      <eval token="subSearchLatest">relative_time(strptime($job.earliestTime$,"%Y/%m/%dT%H:%M:%S"),"-1d@d")</eval>
    </progress>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="tokTime" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd earliest=$subSearchEarliest$ latest="$subSearchLatest$"
          | stats count by log_level
          | append [|makeresults| fields - _time| eval log_level="INFO",count=0] 
          | dedup log_level
          | eval subSearchEarliestTime=strftime($subSearchEarliest$,"%Y/%m/%d %H:%M:%S"), subLatestTime=strftime($subSearchLatest$,"%Y/%m/%d %H:%M:%S")</query>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">0</option>
      </table>
    </panel>
  </row>
</form>

PS: Commands | append [|makeresults| fields - _time| eval log_level="INFO",count=0] | dedup log_level have been added to return at least one row for the demo query to run in case there is no data in _internal index from 4 weeks ago.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

p_gurav
Champion
‎04-17-2018 09:38 PM

Can you try using epoch time. Also in time picker select all time so it will not affect you custom query time:

index="lrt_raw" DEVICE_ID=T* 
earliest=1515263400  latest=1515868200 
|dedup _raw
|stats sum(TXN_AMT) as "SJT" by date_wday
|join type=inner date_wday [search index=rms report_id=0153A earliest=1507746600 latest= 1515263399]
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...