Splunk Search

Using "earliest" and other time modifiers in ad hoc queries

mv10
Explorer

Is it possible to put time modifiers like "earliest" into a search and essentially disregard the time range drop-down in the Splunk UI? I have data that is logged once every 24 hours, so I'd like to embed "WHERE earliest=-24h" into a rather large, complicated query so I can cut-and-paste from my notes without having to mess around with the drop-down (or more importantly, so I don't need to make additional notes to remind myself to set the drop-down).

I tried something like this:

index=iis sourcetype=xxxx host=xxxx | WHERE earliest=-24h | eval... | table...

 But the UI shows "Error in 'where' command: the operator at 'h' is invalid.

Labels (1)
0 Karma
1 Solution

mv10
Explorer

Bah... the "WHERE" clause is unnecessary (got that from somewhere in the docs) ... just specifying "earliest" as one of the criteria is adequate.

View solution in original post

0 Karma

mv10
Explorer

Bah... the "WHERE" clause is unnecessary (got that from somewhere in the docs) ... just specifying "earliest" as one of the criteria is adequate.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You can use earliest, latest etc. in your base search, don't use | and where. Just 

index=iis sourcetype=xxxx host=xxxx earliest=-24h | eval... | table...

This is even more efficient way to do queries that add where or search on the right side of first pipe (|).

r. Ismo 

0 Karma

mv10
Explorer

Thanks!

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...