<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Time manipulation doesn't work in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Time-manipulation-doesn-t-work/m-p/65555#M13170</link>
    <description>&lt;P&gt;My query runs for the past week and I want to append to sets of results from 2 different date ranges. What is my mistake?&lt;/P&gt;

&lt;P&gt;eventId="43330100000002004" | convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as "new_t" |search "join room success" earliest="02/04/2012 12:00:00" latest="02/05/2012 12:00:00"&lt;/P&gt;</description>
    <pubDate>Mon, 28 Sep 2020 10:23:37 GMT</pubDate>
    <dc:creator>Yarsa</dc:creator>
    <dc:date>2020-09-28T10:23:37Z</dc:date>
    <item>
      <title>Time manipulation doesn't work</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Time-manipulation-doesn-t-work/m-p/65555#M13170</link>
      <description>&lt;P&gt;My query runs for the past week and I want to append to sets of results from 2 different date ranges. What is my mistake?&lt;/P&gt;

&lt;P&gt;eventId="43330100000002004" | convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as "new_t" |search "join room success" earliest="02/04/2012 12:00:00" latest="02/05/2012 12:00:00"&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 10:23:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Time-manipulation-doesn-t-work/m-p/65555#M13170</guid>
      <dc:creator>Yarsa</dc:creator>
      <dc:date>2020-09-28T10:23:37Z</dc:date>
    </item>
    <item>
      <title>Re: Time manipulation doesn't work</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Time-manipulation-doesn-t-work/m-p/65556#M13171</link>
      <description>&lt;P&gt;FIrst, the time format in the earliest and latest is wrong. It should be&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; earliest="02/04/2012:12:00:00" latest="02/05/2012:12:00:00"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Also, the search command on the second line does not run an independent search. The search command searches within the previous search results.  You may want to use the append command instead. For example&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;eventId="43330100000002004" | convert timeformat="%m/%d/%y %H:%M:%S" ctime(_time) as "new_t" |
append [search "join room success" earliest="02/04/2012:12:00:00" latest="02/05/2012:12:00:00"]
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 07 Feb 2012 05:07:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Time-manipulation-doesn-t-work/m-p/65556#M13171</guid>
      <dc:creator>lguinn2</dc:creator>
      <dc:date>2012-02-07T05:07:56Z</dc:date>
    </item>
  </channel>
</rss>

