Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue in Splunk with the time brackets

uagraw01
Motivator
‎02-28-2025 02:28 AM


Hello Splunkers!!

We recently migrated Splunk from version 8.1.1 to 9.1.1 and encountered the following errors:

 
ERROR TimeParser [12568 SchedulerThread] - Invalid value "`bin" for time term 'latest' ERROR TimeParser [12568 SchedulerThread] - Invalid value "$info_max_time_2$" for time term 'latest'

Upon reviewing the Splunk 9.1.1 release notes, I found that this issue is listed as a known bug. Has anyone observed and resolved this issue before?

If you have implemented a fix, could you share the specific configuration changes or workarounds applied? Any insights on where to check (e.g., saved searches, scheduled reports, or specific configurations) would be greatly appreciated.

Below is the screenshot of the known bug in 9.1.1

 

Thanks in advance for your help!

uagraw01_0-1740738441912.png

0 Karma
Reply

livehybrid
Super Champion
‎02-28-2025 03:14 AM

Hi @uagraw01 

Im not sure if the bug is related to the issue you are having, as the bug relates to the latest=now being omitted from searches where earliest=<something> is used.

Is this a drilldown search from Enterprise Security? Or something else? Are you able to find the full search that was executed? It is odd that info_max_time_2 looks to contain "`bin" (according to the output) so it would be good to understand how that value could have got there!

If you cant find the search, I'd look into _audit for 5 seconds eitherside of that error timestamp and start filtering down from there, maybe look for keywords like "bin" as its appears in the error.

Let us know what you find so we can help further!

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-28-2025 07:21 AM
I think that @livehybrid is right and this is not exactly the reason for your issue.

Can you share your dashboard where this issue is with us or at least that part which generate that error? Please use code block for that dashboard (it is link/icon </> in editor).

That SPL-237902 seems to be still there even in 9.4.1.
0 Karma
Reply

uagraw01
Motivator
‎03-02-2025 07:50 PM

 

`search_on_index_time("`$input_macro$`", $span$)` | fields _time source id | bin _time AS earliest_time span=$span$ | eval latest_time=earliest_time+$span$ | stats values(id) AS ids, values(source) AS sources BY earliest_time latest_time | eval ids="\"".mvjoin(ids, "\",\"")."\"", sources="\"".mvjoin(sources, "\",\"")."\"" | `fillnull(value="", fields="earliest_time latest_time input_macro summarize_macro sources ids")` | map maxsearches=20000 search="search earliest=$earliest_time$ latest=$latest_time$ `$input_macro$(\"$sources$\",\"$ids$\")` | `$summarize_macro$($earliest_time$, $latest_time$)` | eval _time=$earliest_time$" | appendpipe [|where source="route" | collect index=$index$ source="route" | where false()] | appendpipe [|where source="system" | collect index=$index$ source="system" | where false()]

 


I am using a macro in one of my saved searches and encountering the below error in Splunk. Based on the known issue, what changes should I make to the macro to resolve this error and eliminate the message?

ERROR TimeParser [24352 SchedulerThread] - Invalid value "$latest_time$" for time term 'latest'

@isoutamo @livehybrid 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-02-2025 10:56 PM

It seems that there are so many macros etc. that we cannot say directly almost anything about it. 
The only thing what I can said is that you should try to resolve it by go step by step forward and try to find why latest_time haven’t have value defined.

This app https://classic.splunkbase.splunk.com/app/1603/ can help you to identify what values you have defined in your code. Just add script=… in your dashboard and this shows values to you. See e.g. https://data-findings.com/wp-content/uploads/2024/09/HSUG-20240903-Tiia-Ojares.pdf page 4.

Reply
Get Updates on the Splunk Community!

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
OSZAR »