Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to overwrite earliest/latest time during search for saved search?

AKG1_old1
Builder
‎01-23-2020 05:08 AM

Hi,

I am looking for changing earliest/latest time during search for saved searches. It's working for normal search query but not for savedsearch. Is this expected ?

Is there a way to override time for savedsearch ? For my searchquery I am getting earliest/latest time from another file generated dynamically. so can't use timepicker.

Case 1: Override of earliest/latest time doen't work for saved search.
alt text

Case 2 : Override of earliest/latest time works for normal search query.
alt text

Labels (1)
Labels
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

althomas
Communicator
‎03-11-2022 01:45 AM

There is a way to achieve this, but your savedsearch has to cater for it. You can't amend the savedsearch timespan by just putting earliest= latest= in the command properties -- that doesn't work. You have to provide the data as variables to the savedsearch.

Here is a savedsearch I have created called "Makeresults Show Times"

 

index=_internal earliest=$etime$ latest=$ltime$
| head 1
| addinfo
| convert ctime(info_min_time) as earliest_time ctime(info_max_time) as latest_time timeformat="%d/%m/%Y %H:%M:%S"
| table earliest_time latest_time

 

You can then pass the variables etime and ltime to the search to override the time selection, such as:

 

| savedsearch "Makeresults Show Times" etime=-15m ltime=now

 

This will then produce the correct data that you are looking for

That said, it will also break the report when it is referenced not using the etime and ltime variables -- so you would have to make a report that would only cater for this singular use case and for no others, which seems like it would introduce duplication of effort.

So it is possible, just not very practical.

0 Karma
Reply

nickhills
Ultra Champion
‎01-23-2020 05:15 AM

A saved search has a defined time window which is configured when you build the original search, this timeframe is used when the search is executed.

You cant pass earliest/latest to the savedsearch command because you are recalling events with a predeterimined window.
Notice that that parameters have not formatted as green when passed to the saved search, but they do for the normal search.

If you are using the saved search to recall a complex search query, consider using a macro instead.

If my comment helps, please give it a thumbs up!
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...