Solved: How to use search time range in stats?

yuanliu · ‎12-16-2014

field=value earliest=-7d@d latest=@d

When there are many events in these 7 days, I can use earliest(_time) and latest(_time) (or if I'm lucky with data, even last(_time), first(_time)) to determine the time range, thereby determine frequency. But when events are sparse, these functions differ too much from the specified earliest and latest time boundaries. I initially thought _span was available in stats, but it is not. How can I access the time range in stats?

Ayn · ‎12-16-2014

If you mean how to get which timerange the search was run across, use the addinfo command which adds fields with this information. See: http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Addinfo

View solution in original post

Ayn · ‎12-16-2014

If you mean how to get which timerange the search was run across, use the addinfo command which adds fields with this information. See: http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Addinfo

yuanliu · ‎12-16-2014

addinfo is it. Thanks @Ayn

MuS · ‎12-16-2014

Hi yuanliu,

If you're after the span in stats do something like this

field=value .... | bucket _time span=1d | stats count by field, _time

Hope this helps to get you going ...

cheers, MuS

Raghav2384 · ‎12-16-2014

How about a Parent Search like : .....|stats count by field1,field2,field3,field4,field5,_time and the child search

search base="Parent and use Timechart here?

Pardon me if i am going tangents.

How to use search time range in stats?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!