custom time range to sub search

amerineni · ‎09-23-2019

Hi, I want to run a search for a selected time range, and also want to do a sub search for the same duration in the previous interval. For example if user selects the last 60 mins as time range, then i want to do a sub search for the previous hour. Please help me how we can achieve this. Thanks.

..my search | eval range=info_max_time - info_min_time | [search earliest=earliest from time range - range latest=latest from time range - range]

HiroshiSatoh · ‎09-23-2019

For search, the sub-search is searched first. Therefore, it is possible to set the time range of the original search based on the subsearch results.

index=_internal source=*splunkd_access.log* [search earliest=-1d@d index=_internal source=*splunkd.log* ERROR | tail 1 | eval earliest=_time-60 | eval latest=_time+60 | table earliest latest | format "(" "(" "" ")" "OR" ")" ]

I changed it dynamically. There are default restrictions on the subsearch results, so change them.

index=_internal source=*splunkd_access.log* 
 [| makeresults 
  | addinfo 
  | eval latest=info_min_time
  | eval earliest=latest-(info_max_time-info_min_time)
  | table earliest latest 
  | format "(" "(" "" ")" "OR" ")" ]
| head 1
| append [search index=_internal source=*splunkd_access.log*|head 1]

amerineni · ‎09-24-2019

the time range is not fixed here. If user selects last 60 mins, then i should compare the trend with the previous 60 mins. If user selects last 4 hours in time picker, the the subs search should compare the results with 4 hours before that time range. So the subs search time range should be calculated dynamically based on the user picked time range.

HiroshiSatoh · ‎09-24-2019

Added answer.

custom time range to sub search

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life