Solved: mention ealiest time and latest time in the query ...

surekhasplunk · ‎05-28-2020

Hi

I am trying to generate a report which i want to run at 2:30PM on 3 days a week only for the time range choosen as 1:25 PM to 1:30 PM how to pass the values earliest and latest in this case ?

is it like i have to convert the date and time to epoch time first and then pass it to earliest and latest or how to achieve in a simpler way?

493669 · ‎05-28-2020

@surekhasplunk , Can you try including time modifiers in earliest and latest like below-

index=<yourindexname> earliest=-65m latest=-1h

View solution in original post

to4kawa · ‎05-28-2020

index=yours your_main_search_string
[| makeresults 
| eval earliest=strftime(_time,"%m/%d/%Y").":13:25:00"
| eval latest=strftime(_time,"%m/%d/%Y").":13:30:00"
| format]

use sub search to send earliest and latest

reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers

493669 · ‎05-28-2020

@surekhasplunk , Can you try including time modifiers in earliest and latest like below-

index=<yourindexname> earliest=-65m latest=-1h

mention ealiest time and latest time in the query for a report

scheduled search

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!