Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk relative time

jdmclemore
Path Finder
‎10-02-2020 10:08 PM

Today is 10/2/2020. I need to execute 6 searches using relative time for last month (earliest= & latest=) that are each 5 days in length.

Specifically:

9/01/2020:00:00:00 - 9/05/2020:23:59:59

9/06/2020:00:00:00 - 9/10/2020:23:59:59

9/11/2020:00:00:00 - 9/15/2020:23:59:59

9/16/2020:00:00:00 - 9/20/2020:23:59:59

9/21/2020:00:00:00 - 9/25/2020:23:59:59

9/26/2020:00:00:00 - 9/30/2020:23:59:59

I'd love to use these exact times as earliest/latest, or even epoch times, but that won't work in my particular situation. 

How can I represent the 6 spans above in relative time?

 

 

 

 

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-03-2020 10:16 PM

now=10/3/20 11:08:48.000 PM

Hi @Nisha18789 .. the idea was good.. but it may give some issues:
index=ioc earliest=-30d@d latest=-25d@d
(you can open the inspect job and see the exact timeframe which was applied for your search)

9/3/20 12:00:00.000 AM - 9/8/20 12:00:00.000 AM

 

Hi @jdmclemore ... Please try these methods: 

index=ioc earliest=-1mon@mon latest=-1mon@+2d@d
(you can open the inspect job and see the exact timeframe which was applied for your search)

9/1/20 12:00:00.000 AM - 9/5/20 12:00:00.000 AM

 index=ioc earliest=-1mon@+2d@d latest=-1mon@+7d@d

9/5/20 12:00:00.000 AM - 9/10/20 12:00:00.000 AM

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-03-2020 10:16 PM

now=10/3/20 11:08:48.000 PM

Hi @Nisha18789 .. the idea was good.. but it may give some issues:
index=ioc earliest=-30d@d latest=-25d@d
(you can open the inspect job and see the exact timeframe which was applied for your search)

9/3/20 12:00:00.000 AM - 9/8/20 12:00:00.000 AM

 

Hi @jdmclemore ... Please try these methods: 

index=ioc earliest=-1mon@mon latest=-1mon@+2d@d
(you can open the inspect job and see the exact timeframe which was applied for your search)

9/1/20 12:00:00.000 AM - 9/5/20 12:00:00.000 AM

 index=ioc earliest=-1mon@+2d@d latest=-1mon@+7d@d

9/5/20 12:00:00.000 AM - 9/10/20 12:00:00.000 AM

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

jdmclemore
Path Finder
‎10-06-2020 06:47 AM

That's what I was looking for - thank you!

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-03-2020 08:53 PM

Hi @jdmclemore .. 

As @gcusello suggested, for earliest and latest times, we can simply use the exact times as well.

(Use the earliest and latest modifiers to specify custom and relative time ranges. You can specify an exact time such as earliest="10/5/2016:20:00:00", or a relative time such as earliest=-h or latest=@w6.)

or, to convert your required times to epoch, pls use this strptime command:

 

| makeresults 
| eval time1="9/01/2020:00:00:00" 
| eval time2="9/05/2020:23:59:59"
| eval epoch1=strptime(time1,"%m/%d/%Y:%H:%M:%S") 
| eval epoch2=strptime(time2,"%m/%d/%Y:%H:%M:%S") 
| table time1 time2 epoch1 epoch2

 


Please check it:

strptime.jpg

 

(PS - i have given around 500+ karma points so far, received badge for that, if an answer helped you, a karma point would be nice!. we all should start "Learn, Give Back, Have Fun")

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-02-2020 11:23 PM

Hi @jdmclemore,

let me understand: you want to count events in the period from 9/01/2020:00:00:00 to 9/30/2020:23:59:59 wiyj a span of 5 days, is it correct?

if this is your need, please, try something like this:

your search earliest="9/01/2020:00:00:00" latest="9/30/2020:23:59:59"
| timechart span=5d count

Ciao.

Giuseppe

Reply
Solved! Jump to solution

jdmclemore
Path Finder
‎10-03-2020 05:21 AM

Hi - thanks for the reply.

 

No, not counting events, just doing regular searches. But I'm wondering how you would represent each of those time spans with relative time notation instead of using the actual time. I know, it's a strange request...but can it be done?

 

Reply
Solved! Jump to solution

Nisha18789
Builder
‎10-03-2020 03:22 PM

hi @jdmclemore , you can use below notation for relative times

earliest=-30d@d latest=-25d@d 

 

 

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...