Refine your search:

Custom Time range based on most recent event time

1

When you search with "All Time" the timeline snaps to the earliest and latest event times. Is there a way to create a custom time-range relative the earliest/latest event time?

e.g. Earliest: LastEvent-1d      Latest: LastEvent

Why this came up: We are introducing Splunk to a partner of ours and we have set up an indexer and search head for them. But they don't want to install forwarders on their production systems yet because they're just checking it out so far. So we just uploaded some chunks of their log files. In a real deployment situation where the data was coming in in real-time, we could just set the search time range for dashboards to 'Earliest: -1d Latest: ", but because there is only a chunk of files we only get a few hours worth of data from the previous 24 hours. So we were curious about whether we could set up custom time ranges relative to the times of the latest event to get a graph of the data from 1day before the latest event.

(Note: Not urgent. We adjusted the time range to where we get some pretty graphs for them to check out. We just got curious.)

asked 28 Dec '10, 09:09

gpburgett's gravatar image

gpburgett
173116
accept rate: 33%

One Answer:
oldestnewestmost voted
2

Well, you don't know the latest time without doing a search first, so you need a subsearch to determine the time of the most recent event. Once you do that, it's pretty straightforward to pull out the time and insert it into the search query (via subsearch). There are a couple of ways. Most general:

"searchterm1" "term2" [ search "searchterm1" "term2" | head 1 | eval earliest=relative_time(_time,"-1d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ]

If you have a specific sourcetype, it might (or might not) be slightly more efficient to:

sourcetype=mysourcetype [ metadata type=sourcetypes | where sourcetype=mysourcetype | eval earliest=relative_time(lastTime,"-1d") | eval latest=lastTime | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ]

(You could of course do similarly for a specific source or host.)

link

answered 28 Dec '10, 18:30

gkanapathy's gravatar image

gkanapathy ♦
32.4k4827
accept rate: 41%

edited 17 Oct '11, 01:51

Hi guys, Do you know if this solution still works with Splunk 4.2.1? I'm trying to use the above search but I get the following error every time: "Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side."

Here's the search I'm using:

index=prod sourcetype=odr [search index=prod sourcetype=odr | head 1 | eval earliest=relative_time(_time,"-1d") | eval latest=_time | fields earliest, latest]

If I run the subsearch as a normal search the earliest & latest fields get returned correctly, but when it's a subsearch it errors out.

Cheers.

(16 Oct '11, 23:51) herbie

Yes. I have corrected the searches, but basically there is a special case with time modifiers in subsearches, so you have to add | format "(" "(" "" ")" "OR" ")" to the subsearch results.

(17 Oct '11, 01:50) gkanapathy ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×343
×60

Asked: 28 Dec '10, 09:09

Seen: 1,191 times

Last updated: 17 Oct '11, 01:51

Related questions

how to change the custom time range dynamically based on the epoch time in field

enter arbitrary date on a form, convert to unix time, and search based on date range

Removing "custom time range" from TimeRangePicker

Custom TimePicker Time Range

Retrieve selected time range from TimeRangePicker

Changing the search used, based upon the time range selected

Cut the time range

Use of autoregress and large time range, but limit results of final search to smaller time range

Alert based on time range and message

Copyright © 2005-2012 Splunk Inc. All rights reserved.