Solved: Setting earliest and latest. - Splunk Community

Splunk Search

I want to search data from "earliest" to "earliest" + 5 minutes later.

How should I implement it ?

I tried the following, but failed.
index=xxxx earliest="yyyy/mm/dd hh:mm:ss" latest=earliest+5m

1 Solution

Solution

 your_search  [| makeresults 
| eval earliest="1/22/2020:08:00:00"
| eval earliest=strptime(earliest,"%m/%d/%Y:%T")
| eval latest=relative_time(earliest,"+10m")
| format "(" "" "" "" "" ")"]

Hi, folks.
Making time modifiers, you can take earliest and latest to main search.

View solution in original post

Solution

 your_search  [| makeresults 
| eval earliest="1/22/2020:08:00:00"
| eval earliest=strptime(earliest,"%m/%d/%Y:%T")
| eval latest=relative_time(earliest,"+10m")
| format "(" "" "" "" "" ")"]

Hi, folks.
Making time modifiers, you can take earliest and latest to main search.

Please advice me,

I want to use relative time in the "earliest".
Because "formtime" in the below is set when clicked in the dashboard.

I tried below, but I can't get anything.

my_search [| makeresults
| eval formtime="1/22/2020:08:00:00"
| eval formtime=strptime(ss,"%m/%d/%Y:%T")
| eval earliest=relative_time(formtime,"-10m")
| eval latest=relative_time(formtime,"+10m")
| format "(" "" "" "" "" ")"]

| eval formtime=strptime(ss,"%m/%d/%Y:%T")
ss?

Sorry,

index=xxx my_search
[| makeresults
| eval formtime=$time1$
| eval formtime=strptime(formtime,"%m/%d/%Y:%T")
| eval earliest=relative_time(formtime,"-10m")
| eval latest=relative_time(formtime,"+10m")
| format "(" "" "" "" "" ")"]

$time1$ is decided when _time is clicked on the dashboard.

index=xxx my_search
[| makeresults
| eval formtime=$time1$
| eval earliest=relative_time(formtime,"-10m")
| eval latest=relative_time(formtime,"+10m")
| format "(" "" "" "" "" ")"]

$time1$ is epoch. do not strptime()

Thank you,

I think earliest and latest are set correctly, but no data was retrieved.
( Data in the time range exist definitely. )

Do u have any idea ?

wrong viz, maybe.

Thank you.

index=xxxx
[| makeresults
| eval earliest=relative_time($time1$,"-1m")
| eval latest=relative_time($time1$,"+1m")
| format "(" "" "" "" "" ")"]
| table _time

Let me check to see if I understand correctly. Are you looking for your earliest time is be fixed to a date and time, but you want your latest to be a relative time? Either both are fixed or both are relative.

However, If you are looking for both earliest and latest to be relative, than that's possible. Let's look at 2 hours ago for earliest and then 1 hour and 55 minutes ago (5 minutes after the earliest):
earliest=-2h latest=-2h+5m

###

If this reply helps you, an upvote would be appreciated.

I'm interested in this as well. Here is a way to do it using a couple steps, not sure it will work in your case.

index=xxxx sourcetype=yyyy earliest="1/21/2020:11:40:00"
| addinfo
| eval latest=info_min_time+300
| where _time<=latest
| (the rest of your search)

The addinfo command is used here to expose internal fields. You can see many of these in the Job Inspector.

Thank you for your help.
I can get the results which I want.

Be sure to "accept as answer" the solution that works for you so that others can benefit,

This is a creative workaround the absolute/relative time modifiers. I don't understand the use case, but bravo.

###

If this reply helps you, an upvote would be appreciated.

Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...