- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Splunk Search a time range within a specified fiel...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Search a time range within a specified field
Hello,
I have a summary index that I created a custom field of 'latest' which was the last time that the server reported to the cluster index. It shows as "MM/DD/YYYY XX:XX:XX". I would like to create a search that only searches from the today's current time to 2 weeks ago within that 'latest' field.
Currently, I have tried 'latest="-2w@w"', but it only displays the singular day two weeks ago. I would like to it to search over everyday day within that 2 week period from today to 2 weeks ago.
Using 'earliest="2w@w"' does not use the 'latest' field, so that will not work either. Any assistance will be greatly appreciated.
Thanks,
Mike
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You cannot use your latest field interchangeably with the built-in field of the same name. And for that reason, you can't use the relative time syntax. As far as Splunk is concerned, your latest field is simply a string. So you could do this:
yoursearchhere
| eval lasttime=strptime(latest,"%m/%d/%Y %H:%M:%S")
| where _time<= now() and time >= relative_time(lasttime,"-2w@w")
I feel like this isn't the answer, because I really don't understand what you are trying to search. What data do you want as a result of this search? Is that data also in the summary index - if not, then there needs to be a join or an append or something to bring in the second index...
But maybe this will get you started.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If i were to change the name of the 'latest' field to say 'lastcheckin', would that make it so I could use the relative time syntax?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As for what I am looking to achieve is the last time the server reported to the cluster index. From here we forward the hostname and last time (latest) it reported to the summary index for us to monitor the servers. The search we use to send the information to the summary index:
| tstats latest(_time) as latest where index="$INDEX" NOT host="$MONITORSERVER" by host
| dedup host
| convert ctime(latest)
In the summary index, there is servers that last reported 3 months ago and are now turned off. I do not need to track those servers as they were test servers, but the summary index search still sends the information over to the summary index every minute as stated.
So basically, I am trying to have the latest field in the summary index to show only servers that reported within the last two weeks. This will weed out the servers that have been off for months, as their latest field states that they last reported months ago. Thanks again for the help.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
