Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Changing the now() reference point before running a saved search

Kindred
Path Finder
‎01-02-2017 11:09 PM

Is it possible to change the value of now (or the reference point it uses) so that I can back-date and run a saved search that uses a relative time window? As an example, say there is a saved search that contains:

earliest=-1h latest=now | stats count by host

In this case I can't change the saved search, but I'd like to run that saved search for say 2016-01-01 01:00. Can I tell the saved search to use that specific time as the reference point of now?

I'm running the search via web export ( /servicesNS/<name>/<app>/search/jobs/export), so curious if there could be a request parameter I could set or something?

0 Karma
Reply

dvb
Path Finder
‎09-18-2018 03:58 AM

For the backfill case you can just use fill_summary_index.py and tell it over which timerange it should run the searches. See
http://docs.splunk.com/Documentation/Splunk/7.1.3/Knowledge/Managesummaryindexgapsandoverlaps#Use_th...

0 Karma
Reply

lguinn2
Legend
‎01-02-2017 11:55 PM

You can't change the value of "now" - it is actually not the current time, but the time when the search started running.

But you can use an absolute time instead of a relative time for earliest and latest. Take a look at the topic Specify time modifiers in your search in the documentation. For example, you could do this

earliest=1/1/2016:0:0:0 latest=1/1/2016:23:59:59

Since you are writing code, you could just do the appropriate time math in your code...

0 Karma
Reply

Kindred
Path Finder
‎01-03-2017 02:46 PM

As I mentioned I can't change the saved search, and it was only an example to make the point. There's actually hundreds of saved searches that use relative time periods and various calculations using now(), many of them using summary indexes, which is why I was directly asking about the reference point used by now so that I wouldn't be modifying the searches.

If there was a way to change where now started from, all these reports could be very easily backfilled.

I may be going off on a tangent anyway, is it even possible to run a scheduled search remotely that is set to summary index?

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...