Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to structure search for dynamic earliest latest

ohlafl
Communicator
‎08-06-2015 05:00 AM

I have a search query that begins like this:

index=someData earliest=08/06/2015:10:00:00 latest=08/06/2015:21:00:00... rest of search.

I need to set the date of earliest and latest as dates of today and if I've understood it correctly I should be able to convert the now value to epoch time but then I need to use eval and that is not possible(?) within the first search pipe, how should I structure the search so that I can do this effectively?

Edit: I should mention that I cannot use any d@d or similar as I use the search in an overlay comparing results for two days and this will mess up the timeline.

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎08-06-2015 05:32 AM

I don't follow your use case entirely, but you can use a subsearch to emit earliest and latest. See http://answers.splunk.com/answers/65255/returning-time-from-subsearch-to-main-search.html

HOWEVER, looking at your use case in the reply below you can probably accomplish the same with relative time trickery, something like:

earliest=@d+10h  latest=@d+17h  <rest of search>

The "additive/subtractive" modifiers on the relative time operators are a great way of getting to a particular point in time. You can add to them in nearly arbitrarily complex ways too.

earliest=-1d@d+10h+32m  latest=@d-15h+30m

Or other such tomfoolery. Perhaps this is more like what you're trying to do?

Also also, if you are doing day-over-day comparisons or other such things, you should know about the timewrap app. https://splunkbase.splunk.com/app/1645/#/overview

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎08-06-2015 05:32 AM

I don't follow your use case entirely, but you can use a subsearch to emit earliest and latest. See http://answers.splunk.com/answers/65255/returning-time-from-subsearch-to-main-search.html

HOWEVER, looking at your use case in the reply below you can probably accomplish the same with relative time trickery, something like:

earliest=@d+10h  latest=@d+17h  <rest of search>

The "additive/subtractive" modifiers on the relative time operators are a great way of getting to a particular point in time. You can add to them in nearly arbitrarily complex ways too.

earliest=-1d@d+10h+32m  latest=@d-15h+30m

Or other such tomfoolery. Perhaps this is more like what you're trying to do?

Also also, if you are doing day-over-day comparisons or other such things, you should know about the timewrap app. https://splunkbase.splunk.com/app/1645/#/overview

Reply
Solved! Jump to solution

sharan928
Engager
‎11-30-2016 11:28 AM

If we are using macros for earliest and latest, this approach of adding time would not work. We need to create a subsearch.

0 Karma
Reply
Solved! Jump to solution

acharlieh
Influencer
‎08-06-2015 06:08 AM

The @dwaddle solution applied: 

index=someData [noop|stats count|fields|eval earliest=relative_time(now(),"@d+10h")|eval latest=relative_time(now(),"@d+21h")| convert timeformat="%m/%d/%Y:%T" ctime(*)| format "" "" "" "" "" ""] ... rest of search
Reply
Solved! Jump to solution

ohlafl
Communicator
‎08-06-2015 06:37 AM

Thank you both, this worked perfectly.

0 Karma
Reply
Solved! Jump to solution

ohlafl
Communicator
‎08-06-2015 05:55 AM

I undestand, a bit difficult to explain, what I basically want to do is to replace earliest and latest with the date of the day that the search is perform, i.e "today" in the format of MM/DD/YYYY:XX:00:00 (where X is a fixed time), sort of like:

index=someData earliest="get.todaysDate":10:00:00 latest="get.todaysDate":21:00:00

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎08-06-2015 06:31 AM

OH! Well that is perhaps even easier! Let me update the answer with the "right way" 🙂

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...