Time Range for Searching Splunk Events
By Tyler Phillips, Splunk Consultant
In my view, _time is the best way to filter in Splunk. Using the time picker can eliminate thousands if not millions of events from your results. That elimination can be a good or a bad thing.
So what if you want to see the events that come before and after so you can view the complete process in a dashboard? Well, that exact question was recently asked by a client. With a kicker …they wanted to paste the events timestamp into a field and have it automatically gather the surrounding events. They did not want to use time picker due to taking too long to calculate the surrounding times of the event, then find the correct setting in time picker for the surrounding events. They wanted to copy and paste directly from the original event. Challenge accepted!
First, I add all my inputs. I only need the one text input, but I also am going to show how to change the size of the range you are searching based on two dropdown inputs that allow you to add more time to before or after a search time.
Now let’s add a table to the dashboard and add a query. For this example, I will just use a simple search (index=_internal sourcetype=splunkd).
Now let’s add the additional time items to the search query. I am also using the %Y-%m-%dT%H:%M:%S time format.
Here is what I added to my search:
[ | makeresults | eval earliest_time=relative_time(strptime(“$time$”,”%Y-%m-%dT%H:%M:%S”), “-10m”) | return earliest_time ]
[ | makeresults | eval latest_time=relative_time(strptime(“$time$”,”%Y-%m-%dT%H:%M:%S”), “+10m”) | return latest_time ]
I use the token of time to fill in the strptime that the commands utilize, and they create a time for earliest and latest times.
Notice how my time is now restricted to 10 minutes after the time I input?
And that’s it! We have successfully restricted the times of the events to a range of 20 minutes around our time input. But, what if we want to use different time ranges?
Let’s add two more inputs that will be our before and after time. I added two dropdowns where we can list the different times we want to use. I called them Earliest and Latest then I used the token names earliest_tok and latest_tok.
Now let’s add the times we want to select from:
And all we have left to do is to replace the time change values in our search with these tokens. Our new search will be
index=_internal sourcetype=splunkd
[ | makeresults | eval earliest_time=relative_time(strptime(“$time$”,”%Y-%m-%dT%H:%M:%S”), “$earliest_tok$”) | return earliest_time ]
[ | makeresults | eval latest_time=relative_time(strptime(“$time$”,”%Y-%m-%dT%H:%M:%S”), “$latest_tok$”) | return latest_time ]
Now you can see that our latest time is set to 15 minutes and our newest event time is 15 minutes after the set time I input.
There you have it! Add this to any search in a dashboard and you can find events from any time range around a certain time just by creating a few inputs. Contact us if you’d like to chat!