Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I set a latest relative to an absolute earliest time so I don't have to type as much?

dreeck
Path Finder
‎01-27-2018 10:29 AM

Yes, lazy.

I'd like to search for events an hour after a specific date/time, using earliest like this:

index=fruit fruitType=Banana earliest="01/08/2018:10:00:00" latest=+1h

Instead of my intended results (1 hr of results) I get many days, plus 1 hour in the future (which is exactly what the query above asks for).

Is there some syntax for latest that will search relative time related to an absolute earliest without having to add an eval?

Lazily,

Dave

Tags (2)
Reply

elliotproebstel
Champion
‎01-27-2018 05:37 PM

The dashboard that @niketnilay coded up for you should do the trick. But if you'd like a strategy for running such a search from the search line, you can use a site like this: https://www.epochconverter.com/

You put in your desired time to convert and select "Local Time". As my browser is set to US Eastern Time (New York), the time stamp from your post converts to this epoch time string: 1516287600. To use this in your search, I'd do like this:

index=fruit fruitType=Banana earliest=1516287600 latest=+1h

If you are in another time zone, you should use that site (or something similar) to convert to an epoch time stamp that is appropriate for your time zone, and then you can use that as a static value for either earliest or latest.

Reply

dreeck
Path Finder
‎02-01-2018 03:54 PM

Huh. I wonder why I can't do this with a human formatted time. Presumably Splunk can convert my local time to epoch on the back end. Sounds like it only support absolute epoch values for earliest.

0 Karma
Reply

elliotproebstel
Champion
‎02-01-2018 07:19 PM

Yeah, for earliest, I believe Splunk supports two formats: epoch timestamp and the relative time formats documented here:
https://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/SearchTimeModifiers

0 Karma
Reply

niketn
Legend
‎01-27-2018 10:59 AM

@dreeck, following is a run anywhere dashboard which sets the earliest time as static value and computes latest time as 1 hour ahead (i.e. 3600 secs)

<form>
  <label>Static Earliest and Latest</label>
  <fieldset submitButton="false">
    <input type="text" token="tokSelectEarliestTime" searchWhenChanged="true">
      <label>Earliest Time</label>
      <default>01/08/2018:10:00:00</default>
      <change>
        <eval token="tokEarliest">strptime($value$,"%m/%d/%Y:%H:%M:%S")</eval>
        <eval token="tokLatest">strptime($value$,"%m/%d/%Y:%H:%M:%S")+3600</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <event>
        <search>
          <query>index=_internal sourcetype=splunkd earliest="$tokEarliest$"  latest="$tokLatest$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="list.drilldown">none</option>
        <option name="list.wrap">1</option>
        <option name="maxLines">5</option>
        <option name="raw.drilldown">full</option>
        <option name="rowNumbers">0</option>
        <option name="table.drilldown">all</option>
        <option name="table.sortDirection">asc</option>
        <option name="table.wrap">1</option>
        <option name="type">list</option>
      </event>
    </panel>
  </row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

dreeck
Path Finder
‎02-01-2018 03:52 PM

Thank you! My question was regarding how to do this on the search line. This is an interesting technique, but not applicable to my need.

0 Karma
Reply

niketn
Legend
‎08-11-2018 05:07 AM

@dreeck , please use following answer of mine which has similar example with addinfo which will allow you to do something similar by adding | addinfo command.

https://answers.splunk.com/answers/578984/running-one-of-two-searches-based-on-time-picker-s.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...