I'd like to search for events an hour after a specific date/time, using earliest like this:
index=fruit fruitType=Banana earliest="01/08/2018:10:00:00" latest=+1h
Instead of my intended results (1 hr of results) I get many days, plus 1 hour in the future (which is exactly what the query above asks for).
Is there some syntax for latest that will search relative time related to an absolute earliest without having to add an eval?
The dashboard that @niketnilay coded up for you should do the trick. But if you'd like a strategy for running such a search from the search line, you can use a site like this: https://www.epochconverter.com/
You put in your desired time to convert and select "Local Time". As my browser is set to US Eastern Time (New York), the time stamp from your post converts to this epoch time string:
1516287600. To use this in your search, I'd do like this:
index=fruit fruitType=Banana earliest=1516287600 latest=+1h
If you are in another time zone, you should use that site (or something similar) to convert to an epoch time stamp that is appropriate for your time zone, and then you can use that as a static value for either
Huh. I wonder why I can't do this with a human formatted time. Presumably Splunk can convert my local time to epoch on the back end. Sounds like it only support absolute epoch values for earliest.
earliest, I believe Splunk supports two formats: epoch timestamp and the relative time formats documented here:
@dreeck, following is a run anywhere dashboard which sets the earliest time as static value and computes latest time as 1 hour ahead (i.e. 3600 secs)
<form> <label>Static Earliest and Latest</label> <fieldset submitButton="false"> <input type="text" token="tokSelectEarliestTime" searchWhenChanged="true"> <label>Earliest Time</label> <default>01/08/2018:10:00:00</default> <change> <eval token="tokEarliest">strptime($value$,"%m/%d/%Y:%H:%M:%S")</eval> <eval token="tokLatest">strptime($value$,"%m/%d/%Y:%H:%M:%S")+3600</eval> </change> </input> </fieldset> <row> <panel> <event> <search> <query>index=_internal sourcetype=splunkd earliest="$tokEarliest$" latest="$tokLatest$"</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="list.drilldown">none</option> <option name="list.wrap">1</option> <option name="maxLines">5</option> <option name="raw.drilldown">full</option> <option name="rowNumbers">0</option> <option name="table.drilldown">all</option> <option name="table.sortDirection">asc</option> <option name="table.wrap">1</option> <option name="type">list</option> </event> </panel> </row> </form>
@dreeck , please use following answer of mine which has similar example with
addinfo which will allow you to do something similar by adding
| addinfo command.