Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I get search start time and end time value ?

zacksoft
Contributor
‎09-24-2020 01:10 AM

How do I get the  job-execution start time and job execution endtime of my  query as output of the query.

index = some_index source = somesoure
| some_logic added here
| eval search_starttime = $job.earliestTime$
| eval search_endtime = $job.latestTime$
| table some_logic_output search_starttime search_endtime

I am seeing no result for the search_starttime and search_endtime column in my table.
Any help ?

What I mean here is, how do I get  the _time value for the earliest event and the _time value of my latest event of my search resultset ?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-24-2020 08:30 AM

Try addinfo.

index = some_index source = somesoure
| some_logic added here
| addinfo
| eval search_starttime = info_min_time
| eval search_endtime = info_max_time
| table some_logic_output search_starttime search_endtime
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

zacksoft
Contributor
‎09-24-2020 08:58 AM

@richgalloway It gives me search_starttime as 0 and search_endtime as+infinity.   😞
Sorry , for the confusion.
But what I meant is, how do I get  the _time value for the earliest event and the _time value of my latest event of my search result.


0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-24-2020 09:06 AM
Please try

.... | stats .... earliest_time(_time) as eTime latest_time(_time) as lTime ....
0 Karma
Reply

zacksoft
Contributor
‎09-24-2020 09:32 AM

Thanks @isoutamo 
But my problem is if I use stats then that value isn't get dynamically passed to the macro. 

search index = index_name source = source_name
| fields + bio, _time
| stats  earliest_time(_time) as eTime latest_time(_time) as lTime
| eval Proj_Name = "my big project"
| `my_Macro(Proj_name, eTime, lTime)`
|table proj_value , proj_date

In the above case the macro doesn't get invoked.

However if I change something like below then the macro works and I get the desired result.

 search index = index_name source = source_name
| fields + bio, _time
| eval eTime=6735475120.999
|eval lTime=6542213344.976
| eval Proj_Name = "my big project"
| `my_Macro(Proj_name, eTime, lTime)`
|table proj_value , proj_date

It works with eval statement But I cannot hard-code the earliest and latest time. It has to to be dynamic based on the latest_event time and earliest event time. In the macro eTime and lTime values gets passed as earliest and latest values of a dashboard URL, and the Macro outputs that URL along with few other values.

0 Karma
Reply

pwilson
Explorer
‎09-08-2022 11:10 AM

The eventstats command is what you're looking for. Please try:

search index = index_name source = source_name
| fields + bio, _time
| eventstats  earliest_time(_time) as eTime latest_time(_time) as lTime
| eval Proj_Name = "my big project"
| `my_Macro(Proj_name, eTime, lTime)`
| table proj_value , proj_date

 

eventstats splunk doc

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

What is the Builder Bar? The Builder Bar is more than just a place; it's a hub of creativity, collaboration, ...

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...