Splunk Search

latest = earliest + 1day. in search query

snehasal
Explorer

Hi,

I am trying to filter my search results by specifying earliest and latest time in my search query. The earliest time comes from a token. I want the latest time to be earliest + 1day. $time_token$ has the date which is selected from one of the Dashboard panels.
Please help

source="ClodeRunner10.csv" sourcetype="csv" earliest=$time_token$ latest =$time_token"+1d
| eval WfStart=If(step_info="WORKFLOW START",_time,null()) 
| eval WfEnd=If(step_info="WORKFLOW END",_time,null()) 
| sort 0 _time 
| streamstats latest(WfStart) as WfStart by workflow_name 
| eval WfDuration=round(((WfEnd-WfStart)/60) ,2) 
| timechart eval(round(avg(WfDuration),2)) by workflow_name limit=0 useother=false

Thanks,
Sneha

Tags (3)
0 Karma
1 Solution

jackson1990
Path Finder

Try the below approaches:
1.Mentioning 1d in secs in your query.Include eval latest = $time_token$+86400 in your query
or
2.Include eval latest=relative_time($time_token$, "+d") in the query
Dont forget to append pipe(|) operator for eval operations.

View solution in original post

jackson1990
Path Finder

Try the below approaches:
1.Mentioning 1d in secs in your query.Include eval latest = $time_token$+86400 in your query
or
2.Include eval latest=relative_time($time_token$, "+d") in the query
Dont forget to append pipe(|) operator for eval operations.

snehasal
Explorer

latest = $time_token$+86400 worked for me.
Thanks

0 Karma

jackson1990
Path Finder

Glad it worked !!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...