Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

custom time range to sub search

amerineni
Loves-to-Learn
‎09-23-2019 09:03 PM

Hi, I want to run a search for a selected time range, and also want to do a sub search for the same duration in the previous interval. For example if user selects the last 60 mins as time range, then i want to do a sub search for the previous hour. Please help me how we can achieve this. Thanks.

..my search | eval range=info_max_time - info_min_time | [search earliest=earliest from time range - range latest=latest from time range - range]

Tags (1)
0 Karma
Reply

HiroshiSatoh
Champion
‎09-23-2019 10:21 PM

For search, the sub-search is searched first. Therefore, it is possible to set the time range of the original search based on the subsearch results.

index=_internal source=*splunkd_access.log* [search earliest=-1d@d index=_internal source=*splunkd.log* ERROR | tail 1 | eval earliest=_time-60 | eval latest=_time+60 | table earliest latest | format "(" "(" "" ")" "OR" ")" ]

I changed it dynamically. There are default restrictions on the subsearch results, so change them.

index=_internal source=*splunkd_access.log* 
 [| makeresults 
  | addinfo 
  | eval latest=info_min_time
  | eval earliest=latest-(info_max_time-info_min_time)
  | table earliest latest 
  | format "(" "(" "" ")" "OR" ")" ]
| head 1
| append [search index=_internal source=*splunkd_access.log*|head 1]
0 Karma
Reply

amerineni
Loves-to-Learn
‎09-24-2019 10:22 AM

the time range is not fixed here. If user selects last 60 mins, then i should compare the trend with the previous 60 mins. If user selects last 4 hours in time picker, the the subs search should compare the results with 4 hours before that time range. So the subs search time range should be calculated dynamically based on the user picked time range.

0 Karma
Reply

HiroshiSatoh
Champion
‎09-24-2019 10:01 PM

Added answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...