topic Re: How to get the event details between two different dates? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-get-the-event-details-between-two-different-dates/m-p/383918#M112125 <P>Is there any unique ID to correlate the events, other than just the order of events? This seems like logs for a JOB, so can there be multiple jobs running simultaneously? If there are no unique correlation key and multiple job's logs are overlapping, it would be difficult to achieve what you want.</P> Tue, 08 May 2018 14:56:38 GMT somesoni2 2018-05-08T14:56:38Z How to get the event details between two different dates? https://community.splunk.com/t5/Splunk-Search/How-to-get-the-event-details-between-two-different-dates/m-p/383917#M112124 <P>I have a splunk log in the following format:</P> <PRE><CODE>INFO com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ORDER_JOB: **SUCCESSFULLY COMPLETED at END_TIME**: 2018-05-06T19:03:27.854Z INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: List size: 4688 INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 4688 isDone Status true INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 3688 isDone Status false INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 1000 isDone Status false INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: QUERY FORMED: /services/data/v40.0/query?q=SELECT+Id,OpportunityId,MSISDN__c,CreatedDate,LastModifiedDate,Order_System__c,Approximate_Activation_Date__c,SIM_Number__c,IMEI__c,Status+FROM+ORDER+where+CreatedDate%3e2018-05-06T12:03:20.083Z+OR+LastModifiedDate%3e2018-05-06T12:03:20.083Z INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: lastQueriedDateStamp before query: 2018-05-06T12:03:20.083Z INFO com.tmobile.sfdc.reports.batch.reader.OrderItemReader - ORDER_JOB: new Job.. fetching orders INFO com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ORDER_JOB: **ACTIVE at START_TIME**: 2018-05-07T18:03:27.854Z INFO com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ORDER_JOB: **SUCCESSFULLY COMPLETED at END_TIME**: 2018-05-06T19:03:27.854Z INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: List size: 2688 INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 2688 isDone Status true INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 1688 isDone Status false INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: Total Size of Records returned 1000 isDone Status false INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: QUERY FORMED: /services/data/v40.0/query?q=SELECT+Id,OpportunityId,MSISDN__c,CreatedDate,LastModifiedDate,Order_System__c,Approximate_Activation_Date__c,SIM_Number__c,IMEI__c,Status+FROM+ORDER+where+CreatedDate%3e2018-05-06T12:03:20.083Z+OR+LastModifiedDate%3e2018-05-06T12:03:20.083Z INFO com.tmobile.sfdc.reports.service.OrderService - ORDER_JOB: lastQueriedDateStamp before query: 2018-05-07T12:03:20.083Z INFO com.tmobile.sfdc.reports.batch.reader.OrderItemReader - ORDER_JOB: new Job.. fetching orders INFO com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ***ORDER_JOB: ACTIVE at START_TIME***: 2018-05-07T18:03:27.854Z </CODE></PRE> <P>All the above are separate events, I want to get a data between the active start time and successfully completed endtime. For Eg:</P> <PRE><CODE>starttime listsize totalRecords lastqueriedtimestamp enddate 2018-05-07T18:03:27.854Z 4688 4688 2018-05-06T12:03:20.083Z 2018-05-06T19:03:27.854Z 2018-05-07T18:03:27.854Z 2688 2688 2018-05-07T12:03:20.083Z 2018-05-06T19:03:27.854Z </CODE></PRE> <P>I know the regex to get each value, but I want to know how to group all the separated events should fall under that two dates. Can anyone please help me to do it?</P> Mon, 07 May 2018 13:59:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-event-details-between-two-different-dates/m-p/383917#M112124 karthi25 2018-05-07T13:59:45Z Re: How to get the event details between two different dates? https://community.splunk.com/t5/Splunk-Search/How-to-get-the-event-details-between-two-different-dates/m-p/383918#M112125 <P>Is there any unique ID to correlate the events, other than just the order of events? This seems like logs for a JOB, so can there be multiple jobs running simultaneously? If there are no unique correlation key and multiple job's logs are overlapping, it would be difficult to achieve what you want.</P> Tue, 08 May 2018 14:56:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-the-event-details-between-two-different-dates/m-p/383918#M112125 somesoni2 2018-05-08T14:56:38Z