Solved: Can I access the search timeframe within the searc...

auntyem · ‎09-13-2012

I want to get at the duration of the search timeframe within the search itself. So if I set the search to look at the previous month, I want to know within the search the length of that month (in days, hours, whatever, I can convert if I can get it in some time format). This seems like it should be easy but I can't figure out how to do it, as searching for words like 'time frame' give me a huge amount of results.

Are there some variables of functions that I can use to get this?

Thanks,
Mary

jonuwz · ‎09-13-2012

Add " | addinfo " to your search.

This gives you access to the following fields :

info_min_time: the earliest time bound for the search
info_max_time: the latest time bound for the search.

Docs here

View solution in original post

mixolydian · ‎09-13-2012

I believe you are looking for searchEarliestTime and searchLatestTime. This thread describes the process of getting them using the search ID, and a comment describing a solution that might meet your requirements.

http://splunk-base.splunk.com/answers/53056/obtaining-the-search-time-range-in-a-custom-search-comma...

Hope that helps.

Update: I think jonuwz's solution is easiest.

jonuwz · ‎09-13-2012

Add " | addinfo " to your search.

This gives you access to the following fields :

info_min_time: the earliest time bound for the search
info_max_time: the latest time bound for the search.

Docs here

mixolydian · ‎09-14-2012

Glad to hear it, auntyem! For future, I don't believe a 'where' command would remove fields. More likely it would be a 'table' or 'fields' command, which limit fields in all events, rather than events themselves, as is the case with 'where'.

auntyem · ‎09-14-2012

That's it! moving hte addinfo did the trick! Probably makes sense as I had a where command a bit earlier in the search but after the add info. Thanks!

mixolydian · ‎09-14-2012

It worked for me. If possible, I would place the addinfo right before the eval for total time. Perhaps you are losing those info_ variables before you get to the eval. You could try placing " | addinfo | eval duration = info_max_time - info_min_time | table info_max_time, info_min_time, duration" at the end of any test search to see if it is working for you before you plug it into your actual search.

auntyem · ‎09-14-2012

I tried that earlier (first thing I thought of)...It didn't work?? here's the last part of my search:

|eval total_time=info_max_time-info_min_time|table total_down_time, total_time

my table showed the total_down_time (calced earlier in the search but not the total_time. Am I missing a fatfinger? The addinfo was also earlier in the search.

mixolydian · ‎09-14-2012

How about " | eval duration = info_max_time - info_min_time"? That will give you duration in seconds.

auntyem · ‎09-14-2012

Thanks! Now, stupid question, how to I use them to get the duration of the time? Can't seem to figure that out. I think I need to use some conversion functions but havne't quite found the right one.

Can I access the search timeframe within the search?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!