Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Restrict search to exclude events from today

cafissimo
Communicator
‎11-07-2013 04:18 AM

Hello,
I would like to know how is it possible to narrow every search that a user can launch to exclude events comin from 00:00 of current day.
i know I could use latest=@d, but since the search is issued in a form where there's also a timerange picker, if I put latest=@d it completely override the time range chosen by user.
Maybe should I do some eval after the initial search ( | eval bla bla about time).?

Thanks in advance and kind regards.

Luca Caldiero

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-07-2013 04:39 AM

A dirty way would be to modify the search underneath the form to include this:

... | where _time < relative_time(now(), "@d") | ...

That won't work if users can type in their own search of course. I don't think there's a way to force people into a specific timerange if they also have custom time available from a time range picker.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-07-2013 04:39 AM

A dirty way would be to modify the search underneath the form to include this:

... | where _time < relative_time(now(), "@d") | ...

That won't work if users can type in their own search of course. I don't think there's a way to force people into a specific timerange if they also have custom time available from a time range picker.

0 Karma
Reply
Solved! Jump to solution

cafissimo
Communicator
‎11-07-2013 05:09 AM

Well,
that is what I was looking for. I agree with you that it is a dirty way.
I've also modified times.conf to exclude certain time periods (last 60 minutes, last 4 hours and so on).
I will put this where condition into my form, even if I am quite sure it will slow down searches.

Thanks a lot

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...