Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use field value for earliest and latest

C_Sparn
Communicator
‎06-26-2014 04:53 AM

Hello,

I have a field "first" with a value that looks like "%m/%d/%Y:%H:%M:%S". For Example 06/25/2014:0:0:0.
Now I would like to use this field value for:

search index=any earliest=first...

This gives me the exception that the string "first" is invalid for earliest.
But if I use earliest = "06/25/2014:0:0:0" it works.
How can i use the field value?
Greetings

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-26-2014 06:18 AM

You can pass subsearch results into earliest and latest like this:

index=_internal [stats count | eval earliest="-h@m" | fields earliest] [stats count | eval latest="now" | fields latest]

The two subsearches can be arbitrary searches that somehow compute the timerange.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-26-2014 06:18 AM

You can pass subsearch results into earliest and latest like this:

index=_internal [stats count | eval earliest="-h@m" | fields earliest] [stats count | eval latest="now" | fields latest]

The two subsearches can be arbitrary searches that somehow compute the timerange.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-26-2014 08:54 AM

Yeah - be wary of using that in dashboards though, you'll have to escape the dollar sign using a second dollar sign.

0 Karma
Reply
Solved! Jump to solution

C_Sparn
Communicator
‎06-26-2014 07:11 AM

Hello,

thank you, that is working. But you can also use

search...earliest = [search subsearch |return $earliest]

if earliest has the right time format.
Greetings

0 Karma
Reply
Solved! Jump to solution

C_Sparn
Communicator
‎06-26-2014 05:49 AM

Hello,
I'm getting the value from a field with multiple date values like this:

|stats first(other_field) as first then I go on with
|join[search... earliest = first]

And earliest=[subsearch] is a good idea but is also not working.
Greetings

0 Karma
Reply
Solved! Jump to solution

jeremiahc4
Builder
‎06-26-2014 05:25 AM

It would seem to me you'd need to have a function there which would replace the literal characters "first" with the value. I've not seen this done, but could you do a subsearch in brackets there? i.e. search index=any earliest=[search terms | fields first]

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-26-2014 05:01 AM

Where does that field value come from?

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...