Splunk Search

latest = earliest + 1day. in search query

snehasal
Explorer

Hi,

I am trying to filter my search results by specifying earliest and latest time in my search query. The earliest time comes from a token. I want the latest time to be earliest + 1day. $time_token$ has the date which is selected from one of the Dashboard panels.
Please help

source="ClodeRunner10.csv" sourcetype="csv" earliest=$time_token$ latest =$time_token"+1d
| eval WfStart=If(step_info="WORKFLOW START",_time,null()) 
| eval WfEnd=If(step_info="WORKFLOW END",_time,null()) 
| sort 0 _time 
| streamstats latest(WfStart) as WfStart by workflow_name 
| eval WfDuration=round(((WfEnd-WfStart)/60) ,2) 
| timechart eval(round(avg(WfDuration),2)) by workflow_name limit=0 useother=false

Thanks,
Sneha

Tags (3)
0 Karma
1 Solution

jackson1990
Path Finder

Try the below approaches:
1.Mentioning 1d in secs in your query.Include eval latest = $time_token$+86400 in your query
or
2.Include eval latest=relative_time($time_token$, "+d") in the query
Dont forget to append pipe(|) operator for eval operations.

View solution in original post

jackson1990
Path Finder

Try the below approaches:
1.Mentioning 1d in secs in your query.Include eval latest = $time_token$+86400 in your query
or
2.Include eval latest=relative_time($time_token$, "+d") in the query
Dont forget to append pipe(|) operator for eval operations.

snehasal
Explorer

latest = $time_token$+86400 worked for me.
Thanks

0 Karma

jackson1990
Path Finder

Glad it worked !!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...