Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Set a new time range using addinfo in search

nagar57
Communicator
‎08-02-2019 03:10 AM

I want to change the time range of my search by using addinfo. Below is my search query:

index =xxx sourcetype = xxx source="xxx/new_offers_web_*.log" Channel="web" Page="accthub" Placement="tiles" | lookup orch_time_range.csv as_of_dt as as_of_dt OUTPUT latest_dt,earliest_dt|addinfo|eval info_min_time=earliest_dt, info_max_time=latest_dt

latest_dt and earliest_dt are the fields in miliseconds being calculated in a lookup.
I am updating info_min_time and info_max_time. But still the time range is not getting changed.
Can someone help?

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎08-02-2019 04:02 AM

@nagar57

You can not change time range using addinfo. If you want to filter event on the basis of range then you have to use lookup values in earliest & latest.

like
index =xxx sourcetype = xxx source="xxx/new_offers_web_*.log" Channel="web" Page="accthub" Placement="tiles" [ | inputlookup orch_time_range.csv | rename latest_dt as latest,earliest_dt as earliest | return latest earliest ]

Above is sample idea you have to update search as per your requirement,

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...