Splunk Search

Setting earliest and latest.

shikata74
New Member

I want to search data from "earliest" to "earliest" + 5 minutes later.

How should I implement it ?

I tried the following, but failed.
index=xxxx earliest="yyyy/mm/dd hh:mm:ss" latest=earliest+5m

0 Karma
1 Solution

to4kawa
Ultra Champion
 your_search  [| makeresults 
| eval earliest="1/22/2020:08:00:00"
| eval earliest=strptime(earliest,"%m/%d/%Y:%T")
| eval latest=relative_time(earliest,"+10m")
| format "(" "" "" "" "" ")"]

Hi, folks.
Making time modifiers, you can take earliest and latest to main search.

View solution in original post

0 Karma

to4kawa
Ultra Champion
 your_search  [| makeresults 
| eval earliest="1/22/2020:08:00:00"
| eval earliest=strptime(earliest,"%m/%d/%Y:%T")
| eval latest=relative_time(earliest,"+10m")
| format "(" "" "" "" "" ")"]

Hi, folks.
Making time modifiers, you can take earliest and latest to main search.

0 Karma

shikata74
New Member

Please advice me,

I want to use relative time in the "earliest".
Because "formtime" in the below is set when clicked in the dashboard.

I tried below, but I can't get anything.

my_search [| makeresults
| eval formtime="1/22/2020:08:00:00"
| eval formtime=strptime(ss,"%m/%d/%Y:%T")
| eval earliest=relative_time(formtime,"-10m")
| eval latest=relative_time(formtime,"+10m")
| format "(" "" "" "" "" ")"]

0 Karma

to4kawa
Ultra Champion

| eval formtime=strptime(ss,"%m/%d/%Y:%T")
ss?

0 Karma

shikata74
New Member

Sorry,

index=xxx my_search
[| makeresults
| eval formtime=$time1$
| eval formtime=strptime(formtime,"%m/%d/%Y:%T")
| eval earliest=relative_time(formtime,"-10m")
| eval latest=relative_time(formtime,"+10m")
| format "(" "" "" "" "" ")"]

$time1$ is decided when _time is clicked on the dashboard.

0 Karma

to4kawa
Ultra Champion
index=xxx my_search
[| makeresults
| eval formtime=$time1$
| eval earliest=relative_time(formtime,"-10m")
| eval latest=relative_time(formtime,"+10m")
| format "(" "" "" "" "" ")"]

$time1$ is epoch. do not strptime()

0 Karma

shikata74
New Member

Thank you,

I think earliest and latest are set correctly, but no data was retrieved.
( Data in the time range exist definitely. )

Do u have any idea ?

0 Karma

to4kawa
Ultra Champion

wrong viz, maybe.

0 Karma

shikata74
New Member

Thank you.

index=xxxx
[| makeresults
| eval earliest=relative_time($time1$,"-1m")
| eval latest=relative_time($time1$,"+1m")
| format "(" "" "" "" "" ")"]
| table _time

0 Karma

efavreau
Motivator

Let me check to see if I understand correctly. Are you looking for your earliest time is be fixed to a date and time, but you want your latest to be a relative time? Either both are fixed or both are relative.

However, If you are looking for both earliest and latest to be relative, than that's possible. Let's look at 2 hours ago for earliest and then 1 hour and 55 minutes ago (5 minutes after the earliest):
earliest=-2h latest=-2h+5m

###

If this reply helps you, an upvote would be appreciated.
0 Karma

jpolvino
Builder

I'm interested in this as well. Here is a way to do it using a couple steps, not sure it will work in your case.

index=xxxx sourcetype=yyyy earliest="1/21/2020:11:40:00"
| addinfo
| eval latest=info_min_time+300
| where _time<=latest
| (the rest of your search)

The addinfo command is used here to expose internal fields. You can see many of these in the Job Inspector.

shikata74
New Member

Thank you for your help.
I can get the results which I want.

0 Karma

jpolvino
Builder

Be sure to "accept as answer" the solution that works for you so that others can benefit,

0 Karma

efavreau
Motivator

This is a creative workaround the absolute/relative time modifiers. I don't understand the use case, but bravo.

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...