Is it possible to put time modifiers like "earliest" into a search and essentially disregard the time range drop-down in the Splunk UI? I have data that is logged once every 24 hours, so I'd like to embed "WHERE earliest=-24h" into a rather large, complicated query so I can cut-and-paste from my notes without having to mess around with the drop-down (or more importantly, so I don't need to make additional notes to remind myself to set the drop-down).
I tried something like this:
index=iis sourcetype=xxxx host=xxxx | WHERE earliest=-24h | eval... | table...
But the UI shows "Error in 'where' command: the operator at 'h' is invalid.
Bah... the "WHERE" clause is unnecessary (got that from somewhere in the docs) ... just specifying "earliest" as one of the criteria is adequate.
Bah... the "WHERE" clause is unnecessary (got that from somewhere in the docs) ... just specifying "earliest" as one of the criteria is adequate.
You can use earliest, latest etc. in your base search, don't use | and where. Just
index=iis sourcetype=xxxx host=xxxx earliest=-24h | eval... | table...
This is even more efficient way to do queries that add where or search on the right side of first pipe (|).
r. Ismo
Thanks!