custom timeframe on cli with saved searches

Question

How do you change the time period of a saved search when running from the CLI?

Right now I have a saved search that runs over a 30min window by default. I normally will run it like this:

/opt/splunk/bin/splunk search  "|savedsearch \"Top HTTP Response Codes\""

Assuming I want to run that same saved search over a 1h window what can I do? I tried this but it did not seem to work:

/opt/splunk/bin/splunk search  "|savedsearch \"Top HTTP Response Codes\"" -earliest_time "−50m"

I don't get any errors but it ran it over the same timeframe as before.

Accepted Answer

3

currently there is no way to override the time range over which the savedsearch is executed when ran from the CLI. Unfortunately there currently is no workaround for this issue.

I have filed a bug, SPL-33374, which should be fixed in one of the next maintenance releases.

link

answered 20 Aug '10, 16:24

Ledion Bitincka ♦
1.5k●3●6
accept rate: 35%

Answer 2

0	Is this still the case ?? can you still not use a defined time frame on a saved search ? link answered 12 Oct '11, 23:40 SeanWilliams 1 accept rate: 0%

custom timeframe on cli with saved searches

Follow this question

Splunk Resources

Related questions