Set "latest" search time to 7 days after "earliest...

wu_weidong · ‎08-11-2020

Hi all,

I'm trying to set the search period such that "earliest" is a specific day, and "latest" is 7 days after that. For this example, I chose "earliest" to be 159595200, which is Jul 29, and I would like the search period to be 7/29/20 12AM to 8/5/20 12AM.

My query is

index=test earliest="1595952000" 
| eval latest=relative_time(earliest,"+7d")
| ...
| bin _time span=7d
| dedup _time fieldA
| stats count by _time fieldB

Splunk searches from 7/29/20 to 8/11/20 (i.e. now). It seems to ignore "latest".

I've also tried

index=test
| eval earliest="159595200"
| eval latest=relative_time(earliest, "+7d")
|...

In this case, Splunk searches from 7/29/20 to 7/30/20, i.e. only for 1 day.

What is wrong with my query, and why is my "latest" ignored?

Thank you.

richgalloway · ‎08-11-2020

earliest and latest are keywords only within the search command (which is implied before the first |). In other contexts, it's just an ordinary field. That's why they have no effect on the time being searched.

Here is a workaround that may work for you.

| makeresults | eval earliest=1595952000 | eval latest=relative_time(earliest,"+7d") 
| map search="search index=test earliest=$earliest$ latest=$latest$ | 
| ...
| bin _time span=7d
| dedup _time fieldA
| stats count by _time fieldB"

---
If this reply helps you, Karma would be appreciated.

Set "latest" search time to 7 days after "earliest"

eval

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!