Solved: Time manipulation doesn't work

Yarsa · ‎02-06-2012

My query runs for the past week and I want to append to sets of results from 2 different date ranges. What is my mistake?

eventId="43330100000002004" | convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as "new_t" |search "join room success" earliest="02/04/2012 12:00:00" latest="02/05/2012 12:00:00"

lguinn2 · ‎02-06-2012

FIrst, the time format in the earliest and latest is wrong. It should be

 earliest="02/04/2012:12:00:00" latest="02/05/2012:12:00:00"

Also, the search command on the second line does not run an independent search. The search command searches within the previous search results. You may want to use the append command instead. For example

eventId="43330100000002004" | convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as "new_t" |
append [search "join room success" earliest="02/04/2012:12:00:00" latest="02/05/2012:12:00:00"]

View solution in original post

lguinn2 · ‎02-06-2012

FIrst, the time format in the earliest and latest is wrong. It should be

 earliest="02/04/2012:12:00:00" latest="02/05/2012:12:00:00"

Also, the search command on the second line does not run an independent search. The search command searches within the previous search results. You may want to use the append command instead. For example

eventId="43330100000002004" | convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as "new_t" |
append [search "join room success" earliest="02/04/2012:12:00:00" latest="02/05/2012:12:00:00"]

Time manipulation doesn't work

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms