brunotm
commented
6 years ago Hello @ctyk3322 sorry for the late reply.
Did you hit this in a dashboard or in the search bar ?
Closed ctyk3322 closed 6 years ago
brunotm
commented
6 years ago Hello @ctyk3322 sorry for the late reply.
Did you hit this in a dashboard or in the search bar ?
ctyk3322
commented
6 years ago @brunotm np, I am running across this issue in the search bar.
brunotm
commented
6 years ago @ctyk3322 while i wasn't able to reproduce your issue, i did found a problem parsing the earliest/latest timestamps specified (other than relative ones, eg: now-4h, that works correctly). Which i will investigate further.
Can you provide an example of your search with the earliest/latest spec?
Thanks!
ctyk3322
commented
6 years ago @brunotm here is my attempt at sharing an example.
If I am in the ElasticSplunk app in Splunk, I would execute the following query and it returns the search data correctly. I can leave the GUI search ticker to 60 minutes, but the earliest time will go back for the year and return the results correctly.
|ess eaddr=elasticsearch-server:9200 index=data query=fooo:data_in_foo tsfield="@timestamp" latest=now earliest="now-1y"
However, if I take the same exact search string and use it in say the "Search & Reporting" app of Splunk, I get 0 results. Now if I use the Splunk GUI timer and search back to the specific time the data exist, then I will get my results as expected.
It seems that the "tsfield="@timestamp" latest=now earliest="now-1y" time field in the search command is not overriding the search time set in the Splunk GUI for the other apps outside of ElasticSplunk.
Hopefully this helps a little bit.
brunotm
commented
6 years ago @ctyk3322 i couldn't reproduce this. Setting the earliest/latest in the search command override the timepicker values in my setup (splunk 7 with latest code from master branch).
Which splunk version are you using? Can you test with the latest code from master branch (it has support for nested docs and updated libraries).
ctyk3322
commented
6 years ago @brunotm thanks for trying. I will get the code loaded to see if it make a difference. I am running 6.5.2.
I am fine with closing this out in the time being while I dig into this further.
Curious is there a way to make the latest and earliest field work in other apps? The fix in the other issue does work in the ElasticSplunk app. But if I try to use the ess command in something like Search & Reporting it still default to the time in the GUI rather then the time in the search command.