Splunk Search

Using earliest and latest variables in a form

adylent
Path Finder

(Using Splunk6) Does any one know if Splunk can do something similar to this

<fieldset autoRun="false" submitButton="true">
        <input type="text" token="earliest">
          <label>earliest time</label>
          <default>now</default>
        </input>
        <input type="text" token="latest">
          <label>latest time</label>
          <default>now</default>
        </input>
</fieldset>

I'm wanting to not use a timepicker, but instead, give them two text boxes where they can specify a date range.

Everytime I try to supply values I get:
Invalid earliest_time

Except if I enter 0 for earliest and now for latest.

I've tried both

$earliest$>
$latest$

and then also

earliest=$earliest$ latest=$latest$

in the search

Thanks

Tags (3)
0 Karma
1 Solution

adylent
Path Finder

User error. you can not use earliest or latest as a variable.

<fieldset autoRun="false" submitButton="true">
        <input type="text" token="earliesttime">
          <label>earliest time</label>
          <default>now</default>
        </input>
        <input type="text" token="latesttime">
          <label>latest time</label>
          <default>now</default>
        </input> </fieldset>

View solution in original post

aholzer
Motivator

Earliest and Latest follow a very specific format in order to be used. See here for more details: http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/SearchTimeModifiers

Something like -1d@d (-1 day snap/truncate to the day) or -1m (-1 minute without truncating).

You'd have to do something like:
<base search> | eval earliest=strftime($ealiest$,"%d/%m/%Y") | search _time >= earliest

Of course your search performance will be impacted because it'll search through ALL your events, and then try to extract those that are after "earliest". I'd stick to timepicker.

Hope this helps

0 Karma

adylent
Path Finder

User error. you can not use earliest or latest as a variable.

<fieldset autoRun="false" submitButton="true">
        <input type="text" token="earliesttime">
          <label>earliest time</label>
          <default>now</default>
        </input>
        <input type="text" token="latesttime">
          <label>latest time</label>
          <default>now</default>
        </input> </fieldset>

poojak2579
Explorer

Hi Adylent,
Did you find the solution of this problem?
If yes, please let me know.I am also dealing with the same problem

0 Karma

sowings
Splunk Employee
Splunk Employee

You can probably do it given what you've specified as a text box, but you'd have to use the relative time specifiers (e.g. "-5m", "@d") or a fully formatted time stamp ("2014/01/09:00:00:00"), or an epoch time ("1389386013").

It might be easier to use a time picker, since it's a full-featured control with lots of ways to specify the time.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...