Splunk Search

Unable to filter for a time range when using saved searches

orion44
Communicator

I have a saved search that has a time range of All time. The saved search contains eval and stats functions that I want to apply to certain time ranges only. The saved search is All time because I need to generate the FirstSeen date of an event in the report. I've found I cannot do this and no Statistics are generated.

Example saved search:
index="log" | eval Label= case((status="0"),"Other" | stats earliest(_time) as FirstSeen, latest(_time) as LastSeen count values by host Label

When I reference this saved search in another report and specify a time range, in this case the last hour on the hour – no stats are generated.

|savedsearch "Master Report" | where _time>=relative_time(now(), "-1h@h") AND _time<=relative_time(now(), "@h") | table host Label FirstSeen LastSeen

Is it not possible to filter for time ranges when referencing a saved search that has a stats command?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi orion44,
you can apply filter also in the second part of your search adding the command (e.g. appliang a filter to the last seven days):

...
| seacrh earlies=-7d latest=now
| ...

But this solution isn't very performat, indeed it is not recommended because best practices suggest to use always the as short as possible time period!

So I suggest to schedule a search that e.g. every hour or every day (it depends by your data update frequency) writes the results of the "FirstSeen date" in a summary index, so you can use the correct time period for your search and add the value from the summary index, or you can schedule the full search and use its results only from the summary index that is little and very performant.

Bye.
Giuseppe

0 Karma

orion44
Communicator

Thanks, I tried | search earliest=-1h latest=now and still no results are found. It appears you can't filter for time values when using the savedsearch command. Very unfortunate.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...