Solved: Re: latest = earliest + 1day. in search query

snehasal · ‎07-13-2017

Hi,

I am trying to filter my search results by specifying earliest and latest time in my search query. The earliest time comes from a token. I want the latest time to be earliest + 1day. $time_token$ has the date which is selected from one of the Dashboard panels.
Please help

source="ClodeRunner10.csv" sourcetype="csv" earliest=$time_token$ latest =$time_token"+1d
| eval WfStart=If(step_info="WORKFLOW START",_time,null()) 
| eval WfEnd=If(step_info="WORKFLOW END",_time,null()) 
| sort 0 _time 
| streamstats latest(WfStart) as WfStart by workflow_name 
| eval WfDuration=round(((WfEnd-WfStart)/60) ,2) 
| timechart eval(round(avg(WfDuration),2)) by workflow_name limit=0 useother=false

Thanks,
Sneha

jackson1990 · ‎07-13-2017

Try the below approaches:
1.Mentioning 1d in secs in your query.Include eval latest = $time_token$+86400 in your query
or
2.Include eval latest=relative_time($time_token$, "+d") in the query
Dont forget to append pipe(|) operator for eval operations.

View solution in original post

jackson1990 · ‎07-13-2017

Try the below approaches:
1.Mentioning 1d in secs in your query.Include eval latest = $time_token$+86400 in your query
or
2.Include eval latest=relative_time($time_token$, "+d") in the query
Dont forget to append pipe(|) operator for eval operations.

snehasal · ‎07-13-2017

latest = $time_token$+86400 worked for me.
Thanks

jackson1990 · ‎07-14-2017

Glad it worked !!

latest = earliest + 1day. in search query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation