Hello Everyone.
I am pretty new with splunk. I'll try to be brief:
I know that a specific event happened at an exact time. So I want to know what happened on that machine at that time and in the last 5 minutes. This is to see what the machine was doing 5 minutes prior triggering the alert.
I got this query: (where xxxxxxxxx is the index, sourcetype and name of the machine I want to look)
***********************************************************************************************
xxxxxxxxx [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-5m") |table earliest latest | format "" "" "" "" "" "" ]
***********************************************************************************************
This works well if I manually select in the timepicker anything. For example I click on "last 15 minutes", the query is in reality done for the last 20 minutes (as I want as well the 5 minutes before the earliest time).
The problem comes when I try to type an exact time in the query itself. I am trying by putting for example: earliest=10/19/2018:00:00:00 but it does not work. I am even trying earliest=-1d and it just does not listen to it, it listens to whatever is chosen in the timepicker.
Maybe I am taking the wrong approach with my initial query. Has anybody been in this situation? Or anyone can shed some light here?
Thank you very much in advance.
xxxx
[| makeresults
| eval earliest=relative_time(strptime("10/19/2018:00:00:00","%m/%d/%Y:%H:%M:%S"),"-5m@m")
| eval latest=relative_time(earliest,"+5m@m")]
xxxx
[| makeresults
| eval earliest=relative_time(strptime("10/19/2018:00:00:00","%m/%d/%Y:%H:%M:%S"),"-5m@m")
| eval latest=relative_time(earliest,"+5m@m")]
Have you tried something like
xxxxxx
[| makeresults
| eval earliest=strptime("2021/04/23 12:00:00","%Y/%m/%d %H:%M:%S")
| fields earliest]
Hi @Coal_55
are you try to use earliest and latest fields both?
example:
earliest=10/19/2018:00:00:00 latest=10/27/2018:00:00:00
to help you I suggest to read this documentation
https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/DateandTimeFunctions
https://docs.splunk.com/Documentation/Splunk/8.1.3/Search/Specifytimemodifiersinyoursearch
@aasabatini Hello! If I specify earliest and latest in my query I get an error:
xxxmy query herexxx earliest=04/23/2021:09:00:00 latest=04/23/2021:09:00:00 [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-5m") |table earliest latest | format "" "" "" "" "" "" ]
Error in 'search' command: Unable to parse the search: Invalid time bounds in search: start=1619422260 > end=1619172000.
If I just put
xxxmy query herexxx earliest=04/23/2021:09:00:00 latest=04/23/2021:09:00:00
It does look for events exactly at April 23 2021 9 AM. But I need to look for that time AND minus 5 minutes.
Any clue on how to do it?
Thanks!
Hi @Coal_55
try this search:
... your search... [| makeresults
| eval earliest="04/23/2021:08:51:00"
| eval earliest=strptime(earliest,"%m/%d/%Y:%T")
| eval latest=relative_time(earliest,"+10m")]
Hello @aasabatini
Thanks for the help. This query is useful to search for the time specified + 10 min. To achieve what I needed, I had to apply the logic @ITWhisperer did on his reply. But actually your query is useful for me also. So thank you very much! 🙂
Hi @Coal_55
happy to help, if you appreciate my support please vote with a 1 karma 😁