cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Coal_55
Explorer
Member since: ‎04-23-2021
‎04-26-2021
Community Statistics
Posts 4
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎04-23-2021
Activity Feed
View All

Re: Query with specific timestamp then pull the ev...

by in Splunk Search
‎04-26-2021 04:57 AM
‎04-26-2021 04:57 AM
@ITWhisperer  This is it!  I owe you one, man 🙂   Thank you so much!     ... View more

Re: Query with specific timestamp then pull the ev...

by in Splunk Search
‎04-26-2021 04:55 AM
‎04-26-2021 04:55 AM
Hello @aasabatini      Thanks for the help.  This query is useful to search for the time specified + 10 min.   To achieve what I needed, I had to apply the logic @ITWhisperer  did on his reply.  But actually your query is useful for me also. So thank you very much! 🙂 ... View more

Re: Query with specific timestamp then pull the ev...

by in Splunk Search
‎04-26-2021 02:12 AM
‎04-26-2021 02:12 AM
@aasabatini   Hello!  If I specify earliest and latest in my query I get an error:   xxxmy query herexxx earliest=04/23/2021:09:00:00 latest=04/23/2021:09:00:00 [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-5m") |table earliest latest | format "" "" "" "" "" "" ] Error in 'search' command: Unable to parse the search: Invalid time bounds in search: start=1619422260 > end=1619172000.   If I just put   xxxmy query herexxx earliest=04/23/2021:09:00:00 latest=04/23/2021:09:00:00   It does look for events exactly at April 23 2021 9 AM.     But I need to look for that time AND minus 5 minutes.   Any clue on how to do it?   Thanks! ... View more

Query with specific timestamp then pull the events...

by in Splunk Search
‎04-23-2021 03:38 AM
‎04-23-2021 03:38 AM
Hello Everyone. I am pretty new with splunk. I'll try to be brief:   I know that a specific event happened at an exact time. So I want to know what happened on that machine at that time and in the last 5 minutes. This is to see what the machine was doing 5 minutes prior triggering the alert.   I got this query:    (where xxxxxxxxx  is the index, sourcetype and name of the machine I want to look) *********************************************************************************************** xxxxxxxxx [| gentimes start=-1 | addinfo | eval earliest=relative_time(info_min_time,"-5m") |table earliest latest | format "" "" "" "" "" "" ] *********************************************************************************************** This works well if I manually select in the timepicker anything. For example I click on "last 15 minutes", the query is in reality done for the last 20 minutes (as I want as well the 5 minutes before the earliest time).   The problem comes when I try to type an exact time in the query itself. I am trying by putting  for example:  earliest=10/19/2018:00:00:00   but it does not work. I am even trying  earliest=-1d  and it just does not listen to it, it listens to whatever is chosen in the timepicker. Maybe I am taking  the wrong approach with my initial query.  Has anybody been in this situation? Or anyone can shed some light here?  Thank you very much in advance.   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-26-2021 11:51 AM
Karma given to
View All