Solved: Using "earliest" and other time modifiers in ad ho...

mv10 · ‎01-07-2022

Is it possible to put time modifiers like "earliest" into a search and essentially disregard the time range drop-down in the Splunk UI? I have data that is logged once every 24 hours, so I'd like to embed "WHERE earliest=-24h" into a rather large, complicated query so I can cut-and-paste from my notes without having to mess around with the drop-down (or more importantly, so I don't need to make additional notes to remind myself to set the drop-down).

I tried something like this:

index=iis sourcetype=xxxx host=xxxx | WHERE earliest=-24h | eval... | table...

But the UI shows "Error in 'where' command: the operator at 'h' is invalid.

mv10 · ‎01-07-2022

Bah... the "WHERE" clause is unnecessary (got that from somewhere in the docs) ... just specifying "earliest" as one of the criteria is adequate.

View solution in original post

mv10 · ‎01-07-2022

Bah... the "WHERE" clause is unnecessary (got that from somewhere in the docs) ... just specifying "earliest" as one of the criteria is adequate.

isoutamo · ‎01-07-2022

You can use earliest, latest etc. in your base search, don't use | and where. Just

index=iis sourcetype=xxxx host=xxxx earliest=-24h | eval... | table...

This is even more efficient way to do queries that add where or search on the right side of first pipe (|).

r. Ismo

mv10 · ‎01-07-2022

Thanks!

Using "earliest" and other time modifiers in ad hoc queries

other

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!