Monitoring Splunk

How does the addinfo command work with time?

Esky73
Builder

The new fields that are created when using the addinfo cmd

info_min_time The earliest time boundary for the search.
info_max_time The latest time boundary for the search.

How are they calculated ?

I've used the Example 2 as detailed here to create a search : http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Addinfo

Looking to find more info as to what the new created fields do.

thx

0 Karma

niketn
Legend

@Esky73, | addinfo command adds search related metadata info to the search results so that the same can be reused. I think the documentation is fairly detailed as to what each for the info_* fields do

info_min_time         : Earliest time selected for the search you ran (this would be the earliest time from the Time Picker that you run or else if you have used `earliest` parameter in the base search) 

info_max_time         : Latest time selected for the search you ran (this would be the latest time from the Time Picker that you run or else if you have used `latest` parameter in the base search)

info_sid              : The Search ID of the search job that generated the event/s. This will help you re-run the search or pull the results from the search using this ID. (REST endpoints reference are listed here: http://docs.splunk.com/Documentation/Splunk/latest/RESTTUT/RESTsearches#REST_endpoints_for_searches)

info_search_time      : The time when the Search job was executed. This would be the same as info_max_time when your latest time is `now()` or `@s`

If you want to see these values and understand how they work you can change the second query in the addinfo reference documentation like the following and re-run the search with different Time ranges:

<YourBaseSearch>
| stats latest(_time) AS latest_time BY host
| addinfo
| fieldformat latest_time=strftime(latest_time,"%c")
| fieldformat info_min_time=strftime(info_min_time,"%c")
| fieldformat info_max_time=strftime(info_max_time,"%c")
| fieldformat info_search_time=strftime(info_search_time,"%c")
| table host latest info_*

Actually in the query the pipe | eval latest_age = info_max_time - latest_time, is used to calculate theage of last event received per host, using latest event received per host (i.e. latest_time) by subtracting it from latest time which is being seen usinglatest from the time range picker` (i.e. info_max_time). Let us know if you require further details.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...