topic Re: what is the format to use for a date in a search / dashboard in Splunk Search

what is the format to use for a date in a search / dashboard

mataharry — Thu, 29 Nov 2012 20:51:58 GMT

I tried to specify an exact date for a search time range, but couldn't make it work

relative and epoch date works : earliest=-5d@d or earliest=1352750400

but those fails
earliest="2012/11/12 20:00:00" or "2012-11-12 8:00:00 pm" or "12/11/2012 20:00:00.000"

Re: what is the format to use for a date in a search / dashboard

Drainy — Thu, 29 Nov 2012 20:53:07 GMT

Yup, here is a list of all time modifiers;

http://docs.splunk.com/Documentation/Splunk/4.2.3/SearchReference/SearchTimeModifiers

Re: what is the format to use for a date in a search / dashboard

yannK — Thu, 29 Nov 2012 20:54:21 GMT

the default time format is %m/%d/%Y:%H:%M:%S

example : from November 12th to 15th at 8pm

earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"
or in a dashboard

< earliestTime >12/11/2012:20:00:00< /earliestTime >

it is explained here in timeformat :
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/SearchTimeModifiers

Re: what is the format to use for a date in a search / dashboard

greathera — Thu, 10 Jul 2014 03:49:07 GMT

The stated default time format and the example given do not match up.
The default time format shown is month / day / year. But the example shows day/month/year.

The same error occurs in the example given in the docs located at http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/SearchTimeModifiers

"the default time format is %m/%d/%Y:%H:%M:%S
example : from November 12th to 15th at 8pm
earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"

Re: what is the format to use for a date in a search / dashboard

kyleharrison — Fri, 01 Aug 2014 15:32:04 GMT

Took me a while to notice your example had the day and month the wrong way round, should be: earliest="11/12/2012:20:00:00" latest="11/12/2012:20:00:00"

Re: what is the format to use for a date in a search / dashboard

aculveruwo — Thu, 09 Jul 2015 14:34:14 GMT

Yeah, please fix your response to clarify. You say the format is %m/%d/%Y.. (American format) but then you set earliest and latest to show the day first %d/%m/%Y.. (International format).

Re: what is the format to use for a date in a search / dashboard

Rocky31 — Wed, 13 Jan 2016 20:51:05 GMT

What is if i need to change to 4 hours

Re: what is the format to use for a date in a search / dashboard

mIliofotou_splu — Mon, 05 Sep 2016 18:12:36 GMT

As stated by others, the default timestamp format is "%m/%d/%Y:%H:%M:%S", but you can change that!

With the current Splunk 6.4 you specify a different formatter using this syntax:

... timeformat="%Y-%m-%d %H:%M:%S" latest="2016-9-22 12:56:11"

Latest documentation for search time modifiers can be found here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers

Re: what is the format to use for a date in a search / dashboard

rnotch — Fri, 01 Dec 2017 21:14:18 GMT

I downvoted this post because yes, since the example and explanation feature conflicting data, this response is impossible to tell which is correct.

Re: what is the format to use for a date in a search / dashboard

daniel_augustyn — Thu, 19 Apr 2018 20:13:23 GMT

I downvoted this post because day/month is opposite

Re: what is the format to use for a date in a search / dashboard

daniel_augustyn — Thu, 19 Apr 2018 20:14:59 GMT

Can Splunk start doing in their examples with a day that is something like 20th-30th so it won't be that much of the confusion here? I love examples with 11/12/2012 which could be either day/month or month/day.

Re: what is the format to use for a date in a search / dashboard

thellmann — Tue, 20 Jul 2021 13:36:39 GMT

Thread necromancy I know, but this answer still pops up on the first page of Google results.

If you are trying to set the earliest/latest time in SimpleXML, you need to use either a relative time or Unix epoch time - the date format as described in the original solution does not work afaik. This is documented here: https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/PanelreferenceforSimplifiedXML#search

If you are trying to set earliest/latest using SPL, I think yannk's answer is still correct and the reference on this page is correct: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Specifytimemodifiersinyoursearch#Specify_relative_time_ranges_in_your_search