https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681332#M113839 <P>It depends on how you are "auto-generating" them - you could possibly change the process that generates them to divide by 1000?</P> Wed, 20 Mar 2024 09:14:52 GMT ITWhisperer 2024-03-20T09:14:52Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681279#M113821 <P>I have two timestamps in milliseconds: start=1710525600000, end=1710532800000.</P> <P>How can I search for logs between those timestamps? Let's say I want to run this query:</P> <LI-CODE lang="markup">index=my_app | search env=production | search service=my-service</LI-CODE> <P><BR />How to specify the time range in millis for this query?</P> Tue, 19 Mar 2024 23:54:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681279#M113821 Daniel24 2024-03-19T23:54:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681287#M113824 <P>Your examples are round seconds, but if you have epoch times to search between use the epoch with decimal places where required, so your example (which actually has no millisecond time) could be</P><LI-CODE lang="markup">index=my_app earliest=1710525600.000 latest=1710532800.000 env=production service=my-service</LI-CODE><P>&nbsp;</P> Tue, 19 Mar 2024 23:10:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681287#M113824 bowesmana 2024-03-19T23:10:17Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681324#M113835 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;I'm autogenerating those milliseconds and I can't manipulate them. That's why I'm asking. I know that `earliest` and `latest` should be in seconds, but I have milliseconds as input.</P> Wed, 20 Mar 2024 08:20:40 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681324#M113835 Daniel24 2024-03-20T08:20:40Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681332#M113839 <P>It depends on how you are "auto-generating" them - you could possibly change the process that generates them to divide by 1000?</P> Wed, 20 Mar 2024 09:14:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681332#M113839 ITWhisperer 2024-03-20T09:14:52Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681333#M113840 <P>No, it's impossible to change the process, I don't control it. Is there any function in Splunk that can do this conversion? When I try earliest=timestamp/1000 it doesn't work.</P> Wed, 20 Mar 2024 09:18:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681333#M113840 Daniel24 2024-03-20T09:18:37Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681335#M113841 <P>So, it depends on how you are getting these values and including them in your search. Please provide more details. (You may be able to use Splunk to preprocess your values in a subsearch, but it depends where they come from.)</P> Wed, 20 Mar 2024 09:22:38 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681335#M113841 ITWhisperer 2024-03-20T09:22:38Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681336#M113842 <P>I can paste those values as URL parameters. So, I can have this URL as input:<BR /><A href="https://my.splunkcloud.com/en-GB/app/my_app/search?q=search%20index%3Dkubernetes_app%20env%3Dproduction%20service%3Dmy-service&amp;display.page.search.mode=smart&amp;dispatch.sample_ratio=1&amp;earliest=1710525600000&amp;latest=1710532800000" target="_blank">https://my.splunkcloud.com/en-GB/app/my_app/search?q=search%20index%3Dkubernetes_app%20env%3Dproduction%20service%3Dmy-service&amp;display.page.search.mode=smart&amp;dispatch.sample_ratio=1&amp;earliest=1710525600000&amp;latest=1710532800000</A></P> Wed, 20 Mar 2024 09:26:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681336#M113842 Daniel24 2024-03-20T09:26:43Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681338#M113844 <P>Can you change the URL in any way or is that all you have to make a search and there's no other component or processed in the middle</P> Wed, 20 Mar 2024 09:30:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681338#M113844 bowesmana 2024-03-20T09:30:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681339#M113845 <P>I can't change the values that I paste into the URL. I can change the parameters in the query, but not the values. I have that number of milliseconds and can't manipulate it.</P> Wed, 20 Mar 2024 09:33:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681339#M113845 Daniel24 2024-03-20T09:33:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681340#M113846 <P>If you can change the URL parameters then you can create a subsearch that takes the ms parameters as parameters e and l. In the subsearch you can do the division and rename the fields earliest and latest. When passed out of the subsearch they will be treated as earliest and latest</P> Wed, 20 Mar 2024 09:38:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681340#M113846 bowesmana 2024-03-20T09:38:47Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681341#M113847 <P>&nbsp;</P><P>This format of the query params</P><P>q=search%20index%3D_audit%20%5B%20%7C%20makeresults%20%7C%20eval%20e%3D1710924016000%2Cl%3D1710927616000%2C%20earliest%3De%2F1000%2C%20latest%3Dl%2F1000%20%7C%20fields%20earliest%20latest%20%5D</P><P>is what is required to search the _audit index for 1 hour, so if you can construct the subsearch and set the e and l parameters as in&nbsp;</P><P>%5B%20%7C%20makeresults%20%7C%20eval%20e%3D1710924016000%2Cl%3D1710927616000%2C%20earliest%3De%2F1000%2C%20latest%3Dl%2F1000%20%7C%20fields%20earliest%20latest%20%5D</P><P>it will do this search</P><P>index=_audit [ | makeresults | eval e=1710924016000,l=1710927616000, earliest=e/1000, latest=l/1000 | fields earliest latest ]</P><P>&nbsp;</P> Wed, 20 Mar 2024 09:45:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681341#M113847 bowesmana 2024-03-20T09:45:47Z https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681342#M113848 <P>What does the whole query should look like?&nbsp;</P> Wed, 20 Mar 2024 09:51:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-search-with-time-specified-in-milliseconds/m-p/681342#M113848 Daniel24 2024-03-20T09:51:57Z