topic Re: earliest_time not working in REST post data, but working in search in Getting Data In

earliest_time not working in REST post data, but working in search

shikhanshu — Mon, 25 Sep 2017 21:15:40 GMT

I am sending a POST request to Splunk REST 'services/search/jobs' endpoint.

If I submit with 'earliest_time' parameter as a relative string like -2d, it works fine. But if I use an absolute date-time string like "9/24/2017:10:00:00", it comes back with 0 results.

Instead, if I don't pass earliest_time parameter, and embed the earliest in the query itself like "earliest='9/24/2017:10:00:00'", it works fine.

Is this a known bug? Or am I doing something wrong?

Re: earliest_time not working in REST post data, but working in search

DalJeanis — Mon, 25 Sep 2017 22:08:47 GMT

Passing the values in the search SPL itself overrides the earliest= parameter from the interface, so that doesn't tell you why you are having the interface issue.

I suspect it is an issue with quoting. Try setting the value to...

&quot;09/24/2017:10:00:00&quot;

Re: earliest_time not working in REST post data, but working in search

shikhanshu — Mon, 25 Sep 2017 23:43:11 GMT

I was not sending 'earliest' in the SPL query earlier. I was sending 'earliest_time' parameter from the interface. Since latter did not work for absolute datetime string, I now switched to 'earliest' in SPL itself which works.

I went back to sending 'earliest_time' and tried adding " around the value. That did not help. Splunk still comes back with 0 results.

I am ok with using 'earliest=' in SPL, unless it is less efficient or not recommended, as compared to 'earliest_time' from interface.

Re: earliest_time not working in REST post data, but working in search

xavierashe — Mon, 23 Oct 2017 16:44:40 GMT

Use dashes instead of slashes:

curl -k -u user https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search index=firewalls dest=%22172.0.0.1%22" -d output_mode=raw -d earliest_time="2017-01-01T00:00:00.000-04:00"

Re: earliest_time not working in REST post data, but working in search

shikhanshu — Mon, 23 Oct 2017 17:12:42 GMT

Dashes is what I have always had anyway. In any case, I have switched over the embedding the 'earliest_time' in the query itself rather than as a separate data item in POST request and that works fine. So I will just stick to that. Thanks for the response!

Re: earliest_time not working in REST post data, but working in search

shikhanshu — Mon, 23 Oct 2017 20:12:55 GMT

I did try with "YYYY-mm-dd:H:i:s" format and that works!