Solved: Restrict search to exclude events from today

cafissimo · ‎11-07-2013

Hello,
I would like to know how is it possible to narrow every search that a user can launch to exclude events comin from 00:00 of current day.
i know I could use latest=@d, but since the search is issued in a form where there's also a timerange picker, if I put latest=@d it completely override the time range chosen by user.
Maybe should I do some eval after the initial search (

| eval bla bla about time).?

Thanks in advance and kind regards.

Luca Caldiero

martin_mueller · ‎11-07-2013

A dirty way would be to modify the search underneath the form to include this:

... | where _time < relative_time(now(), "@d") | ...

That won't work if users can type in their own search of course. I don't think there's a way to force people into a specific timerange if they also have custom time available from a time range picker.

View solution in original post

martin_mueller · ‎11-07-2013

A dirty way would be to modify the search underneath the form to include this:

... | where _time < relative_time(now(), "@d") | ...

That won't work if users can type in their own search of course. I don't think there's a way to force people into a specific timerange if they also have custom time available from a time range picker.

cafissimo · ‎11-07-2013

Well,
that is what I was looking for. I agree with you that it is a dirty way.
I've also modified times.conf to exclude certain time periods (last 60 minutes, last 4 hours and so on).
I will put this where condition into my form, even if I am quite sure it will slow down searches.

Thanks a lot

Restrict search to exclude events from today

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes