Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I search for all events occuring 24 hours prior to a variable time?

eFlea
New Member
‎12-14-2010 12:55 AM

I'm running Splunk v4.1.5, and I'm trying to specify a time range in my search so that I can find events within a certain range prior to a given time.

For example, lets say I want to search for events occurring during the 24 hours prior to 10/07/2010:17:38:00. I cannot determine the correct syntax for this search.

Specifying the "earliest" date as "10/06/2010:17:38:00" seems to be an unsatisfactory solution, because I intend to determine the "latest" value using a subsearch, making the "latest" time a variable value.

My attempt at a search query that does this looks like:

'desthostname="www.google.com" earliest=-24h latest="10/07/2010:17:38:00"'

However, executing this search gives:

"Error in 'UnifiedSearch': Unable to parse the 'Invalid time bounds in search: start=1292201255 > end=1286498280' search."

This error seems to indicate that the relative "earliest" search term seems to be tied to the current time, not 10/07/2010:17:38:00, which is what I want.

How can I create a search query that allows me to specify a relative time range that is tied to an arbitrary time? If this isn't possible, is there a way to calculate a non-relative time value that is equivalent to 24 hours before my "latest" time?

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎02-15-2012 02:01 AM 
desthostname="www.google.com" |
eval end_time = strptime("10/07/2010:17:38:00", "%D:%T") | 
eval start_time = relative_time(end_time,"-24h") |
search _time >= start_time AND _time <= end_time

This should work! For the green button, choose a time range that will include everything you are looking for - hopefully that doesn't mean searching "all time". You might consider creating a macro with a single argument. The argument would be the time string.

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎12-14-2010 06:28 PM

Yes, relative times are always relative to now(), so you won't be able to accomplish what I think you want to using the search language as such.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...