Splunk Search
Highlighted

Setting earliest and latest.

New Member

I want to search data from "earliest" to "earliest" + 5 minutes later.

How should I implement it ?

I tried the following, but failed.
index=xxxx earliest="yyyy/mm/dd hh:mm:ss" latest=earliest+5m

0 Karma
Highlighted

Re: Setting earliest and latest.

Builder

I'm interested in this as well. Here is a way to do it using a couple steps, not sure it will work in your case.

index=xxxx sourcetype=yyyy earliest="1/21/2020:11:40:00"
| addinfo
| eval latest=info_min_time+300
| where _time<=latest
| (the rest of your search)

The addinfo command is used here to expose internal fields. You can see many of these in the Job Inspector.

Highlighted

Re: Setting earliest and latest.

Builder

This is a creative workaround the absolute/relative time modifiers. I don't understand the use case, but bravo.

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Setting earliest and latest.

New Member

Thank you for your help.
I can get the results which I want.

0 Karma
Highlighted

Re: Setting earliest and latest.

Builder

Be sure to "accept as answer" the solution that works for you so that others can benefit,

0 Karma
Highlighted

Re: Setting earliest and latest.

Builder

Let me check to see if I understand correctly. Are you looking for your earliest time is be fixed to a date and time, but you want your latest to be a relative time? Either both are fixed or both are relative.

However, If you are looking for both earliest and latest to be relative, than that's possible. Let's look at 2 hours ago for earliest and then 1 hour and 55 minutes ago (5 minutes after the earliest):
earliest=-2h latest=-2h+5m

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Setting earliest and latest.

Ultra Champion
 your_search  [| makeresults 
| eval earliest="1/22/2020:08:00:00"
| eval earliest=strptime(earliest,"%m/%d/%Y:%T")
| eval latest=relative_time(earliest,"+10m")
| format "(" "" "" "" "" ")"]

Hi, folks.
Making time modifiers, you can take earliest and latest to main search.

View solution in original post

0 Karma
Highlighted

Re: Setting earliest and latest.

New Member

Please advice me,

I want to use relative time in the "earliest".
Because "formtime" in the below is set when clicked in the dashboard.

I tried below, but I can't get anything.

mysearch [| makeresults
| eval formtime="1/22/2020:08:00:00"
| eval formtime=strptime(ss,"%m/%d/%Y:%T")
| eval earliest=relative
time(formtime,"-10m")
| eval latest=relative_time(formtime,"+10m")
| format "(" "" "" "" "" ")"]

0 Karma
Highlighted

Re: Setting earliest and latest.

Ultra Champion

| eval formtime=strptime(ss,"%m/%d/%Y:%T")
ss?

0 Karma
Highlighted

Re: Setting earliest and latest.

New Member

Sorry,

index=xxx mysearch
[| makeresults
| eval formtime=$time1$
| eval formtime=strptime(formtime,"%m/%d/%Y:%T")
| eval earliest=relative
time(formtime,"-10m")
| eval latest=relative_time(formtime,"+10m")
| format "(" "" "" "" "" ")"]

$time1$ is decided when _time is clicked on the dashboard.

0 Karma