Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Setting the starttime and endtime in an eval

njfrost
Explorer
‎01-31-2013 10:09 AM

I wrote a macro where ReleaseInterval2013(month) evaluates starttime and endtime based on the month I select. The starttime and endtime are static dates for each month. I want to save myself from replacing the start/endtimes for every search I do with any month I choose.

My implementation does not work: the starttime and endtime are ignored.

This is what my macro definition looks like:

eval starttime=case($month$=="Jan", "12/8/2012:00:00:00", ...) | eval endtime=case($month%="Jan", 01/12/2013:00:00:00", ...)

And my search is like this:

searchterms | eval ReleaseMonth="Jan" | `ReleaseInterval2013(ReleaseMonth)` | stats count by lineOfBusiness

I am guessing it is not possible to set these values with eval because eval is evaluated for each log item and the search cannot respond to value changes after the search has started.

Is this assumption correct? And more importantly, what is the best approach to take in my situation? Times.conf only supports relative times as far as I know.

Thank you!

Reply

lguinn2
Legend
‎02-01-2013 12:49 AM

Okay, here is how I would do it. First, I would have a CSV file that looks like this:

month,startingTime,endingTime
Jan-2013,8-Jan-2013 0:00:00,27-Jan-2013 0:00:00

etc. Load this into Splunk as a lookup file and create a lookup for it. I will call the lookup date_lookup in my example. Good info here on how to set up a lookup.

Then I would create a macro that takes one argument, just as you did: ReleaseInterval(ReleaseMonth)

Here is what I would put in my macro:

eval tempMon=$ReleaseMonth$ 
| lookup date_lookup month as tempMon 
| eval tempStart=strptime(startingTime,"%d-%m-%Y %H:%M:%S")
| eval tempEnd =strptime(endingTime,"%d-%m-%Y %H:%M:%S")
| where _time >= tempStart AND _time <= tempEnd
| fields - tempMon tempStart tempEnd

Use the macro like this

searchterms |  `ReleaseInterval(Jan-2013)` | stats count by lineOfBusiness

Now you can setup the CSV file for multiple years, and you only have to update the CSV file to keep things going.

Let me know if you have problems with this, as my typing is never that great!

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-31-2013 10:55 AM

You can just use a subsearch:

sourcetype=mybasesearchst "my search terms [ stats count | eval earliest="12/31/2012:12:34:56" | eval latest="1/31/2013:12:00:00" | return earliest latest ]

or

sourcetype=mybasesearchst "my search terms [  stats count | `mymacro` | return earliest=starttime latest=endtime ]

please note that earliest and latest are preferred over starttime and endtime, so I renamed your fields, though technically they may still work.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-01-2013 11:49 AM

i needed to start these subsearches with stats count to make the evals work.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-01-2013 11:45 AM

I made an error in the subsearch, correcting it now.

0 Karma
Reply

Ayn
Legend
‎01-31-2013 12:51 PM

Yes, the subsearch runs before the main search.

0 Karma
Reply

njfrost
Explorer
‎01-31-2013 12:28 PM

This is new territory for me. I'll provide an update if I figure something out. Thanks for your suggestion.

0 Karma
Reply

njfrost
Explorer
‎01-31-2013 12:26 PM

I am having trouble getting this to work. I cannot get the earliest and latest to be returned to the main search for use. Does the subsearch run before the main search?

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-31-2013 10:58 AM

Also, I don't know if this is helpful, but rather than the eval, you could also specify a date within the month using relative times:

earliest=@mon+1w@w1+13h

if you can specify your dates that way.

0 Karma
Reply

lguinn2
Legend
‎01-31-2013 10:18 AM

You could do this:

yoursearchhere earliest=@m

This will search only the current month, whatever it may be. I don't know how you could make a macro that was any easier...

Reply

njfrost
Explorer
‎01-31-2013 11:21 AM

Sorry! Please don't take offense to the down vote. I don't think this is a valid suggestion to my question.

I am not familiar with lookup tables. I am researching this now.
Thank you for the suggestion and quick response.

0 Karma
Reply

lguinn2
Legend
‎01-31-2013 10:46 AM

You would be better off to use a lookup table then. But don't vote down valid suggestions if you want people to offer more help,

Reply

njfrost
Explorer
‎01-31-2013 10:26 AM

The start and end of my monthly intervals are predefined. They are mostly the second Saturday of the month but not always.
I have a list of start and end dates and I want to reference them by number or keyword.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...