Set earliest and latest time using a variable

zamberetta · ‎09-05-2016

Hi!

I'm trying to set the earliest and latest for a sub-search using a variable from the main search. The code below shows what I am trying to accomplish.

sourcetype=log1 Id=1116061 | stats earliest(_time) AS earliest, latest(_time) AS latest | fieldformat earliest= strftime(earliest, "%m/%d/%Y:%H:%M:%S") | fieldformat latest= strftime(latest, "%m/%d/%Y:%H:%M:%S") | search [index=log2 earliest=earliest latest=latest | stats avg(transcode_ratio) as Ratio]

The main search is giving me the correct value and format (08/30/2016:14:23:31) for the sub search to work. I'm just unable to use a variable as the value. I'm not sure what approach I should take as I have very little experience with splunk and couldn't find an example online that fits.

Many Thanks.

sundareshr · ‎09-05-2016

Try this

index=log2 [search sourcetype=log1 Id=1116061 | stats earliest(_time) AS earliest, latest(_time) AS latest | table earliest latest ] | stats avg(transcode_ratio) as Ratio

Set earliest and latest time using a variable

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Set earliest and latest time using a variable

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future