Splunk Search

latest = earliest + 1day. in search query

Explorer

Hi,

I am trying to filter my search results by specifying earliest and latest time in my search query. The earliest time comes from a token. I want the latest time to be earliest + 1day. $time_token$ has the date which is selected from one of the Dashboard panels.
Please help

source="ClodeRunner10.csv" sourcetype="csv" earliest=$time_token$ latest =$time_token"+1d
| eval WfStart=If(step_info="WORKFLOW START",_time,null()) 
| eval WfEnd=If(step_info="WORKFLOW END",_time,null()) 
| sort 0 _time 
| streamstats latest(WfStart) as WfStart by workflow_name 
| eval WfDuration=round(((WfEnd-WfStart)/60) ,2) 
| timechart eval(round(avg(WfDuration),2)) by workflow_name limit=0 useother=false

Thanks,
Sneha

Tags (3)
0 Karma
1 Solution

Path Finder

Try the below approaches:
1.Mentioning 1d in secs in your query.Include eval latest = $timetoken$+86400 in your query
or
2.Include eval latest=relative
time($time_token$, "+d") in the query
Dont forget to append pipe(|) operator for eval operations.

View solution in original post

Path Finder

Try the below approaches:
1.Mentioning 1d in secs in your query.Include eval latest = $timetoken$+86400 in your query
or
2.Include eval latest=relative
time($time_token$, "+d") in the query
Dont forget to append pipe(|) operator for eval operations.

View solution in original post

Explorer

latest = $time_token$+86400 worked for me.
Thanks

0 Karma

Path Finder

Glad it worked !!

0 Karma