Splunk Search

can i difference between earliest and latest irrsepective of the event data ?

rakesh_498115
Motivator

Hi .

I have created a form with a time pick control . Basing on the time selected i need to calucate the Transactions per second on my log data.Say if the user selects last 1 hr i.e say 3pm to 4pm . i have my logs only at 3:30 pm .so now i have calucate the TPS for last 1 hr say 4-3 =1

earliest=3pm
latest=4pm

previously i used the following .

stats earliest(_time) as earliest latest(_time) as latest

but this is not correct. i need the earliest and latest based on the user selection rather then log event _time.

Please help me . thnx

Tags (1)
0 Karma

jonuwz
Influencer

add ... | addinfo to your search

You'll have fields called

info_min_time: the earliest time bound for the search
info_max_time: the latest time bound for the search

docs here

The duration of the search in seconds is info_max_time - info_min_time

Ayn
Legend

...which is why I suggested using now() in those cases.

0 Karma

rakesh_498115
Motivator

see Ayn..based on the user selection i need to calculate the time difference in seconds for my TPS formula..so wen say the user selects "alltime" option.It should ideally be the time for that particular index the data came up to now.so earliest would that starting time and now be latest time..

so in this case if the user selects . addinfo command is not giving info_max_time and info_min_time it is showing as infinity ..:(..thats where i got stuck. its workin for remaning time intervals...

0 Karma

Ayn
Legend

What's not working? Just use now() if you want current time as your latest time for searches over all time?

0 Karma

rakesh_498115
Motivator

jonuwz..but when i select alltime ... info_max_time is not working ..can you pls help

0 Karma

Drainy
Champion

Interesting, I genuinely have never come across this before somehow

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...