https://community.splunk.com/t5/Splunk-Search/Searching-events-within-a-time-range-from-csv-file/m-p/331099#M159818 <P>You can put second query in saved search set earliest and latest. </P> Thu, 27 Jul 2017 03:18:47 GMT sbbadri 2017-07-27T03:18:47Z https://community.splunk.com/t5/Splunk-Search/Searching-events-within-a-time-range-from-csv-file/m-p/331098#M159817 <P>My search operation consists of two parts</P> <P>Part 1: This job runs every 6 hours and keeps appending to the results obtained to a csv file<BR /> Query1-&gt; <BR /> index=INDEXA earliest=-6h@h latest=@h sourcetype=ABC "service=randomservice" (api_name=API1 OR api_name=API2 ) [search index=INDEXA earliest=-6h@h latest=@h sourcetype=ABC "service=randomservice" (api_name=API1 OR api_name=API2 ) | search XYZ= DEF | fields COMMONID | dedup COMMONID ]<BR /><BR /> | stats first(_time) as _time, values(XYZ) AS XYZ, values(PQR) AS PQR by COMMONID | fillnull PQR value="NULL" | sort _time | outputcsv append=true testCSV.csv</P> <P>Part2: I need to extract the values from the csv within a specified time period. For example all the events between earliest = -1d@d and latest=@d . How do i achieve this, i'm unable to figure this out?<BR /> Query2-&gt;<BR /> | inputcsv testCSV.csv | "What query do i need to give here to achieve the desired results?"</P> Tue, 29 Sep 2020 15:03:59 GMT https://community.splunk.com/t5/Splunk-Search/Searching-events-within-a-time-range-from-csv-file/m-p/331098#M159817 tareddy 2020-09-29T15:03:59Z https://community.splunk.com/t5/Splunk-Search/Searching-events-within-a-time-range-from-csv-file/m-p/331099#M159818 <P>You can put second query in saved search set earliest and latest. </P> Thu, 27 Jul 2017 03:18:47 GMT https://community.splunk.com/t5/Splunk-Search/Searching-events-within-a-time-range-from-csv-file/m-p/331099#M159818 sbbadri 2017-07-27T03:18:47Z https://community.splunk.com/t5/Splunk-Search/Searching-events-within-a-time-range-from-csv-file/m-p/331100#M159819 <P>I'm facing difficulties in extracting the time from the csv file. Earliest and latest keywords aren't working. </P> Thu, 27 Jul 2017 03:49:35 GMT https://community.splunk.com/t5/Splunk-Search/Searching-events-within-a-time-range-from-csv-file/m-p/331100#M159819 tareddy 2017-07-27T03:49:35Z https://community.splunk.com/t5/Splunk-Search/Searching-events-within-a-time-range-from-csv-file/m-p/331101#M159820 <P>| stats earliest(_time) as earliestTime , latest(_time) as latestTime, values(XYZ) AS XYZ, values(PQR) AS PQR by COMMONID | eval earliest=strftime(earliestTIme,"%Y-%m-%d %H:%M:%S") | eval latest=strftime(latestTime,"%Y-%m-%d %H:%M:%S")| fillnull PQR value="NULL" | sort _time| outputcsv append=true testCSV.csv</P> <P>second query </P> <P>| inputcsv testCSV.csv | table earliest latest</P> Tue, 29 Sep 2020 15:04:05 GMT https://community.splunk.com/t5/Splunk-Search/Searching-events-within-a-time-range-from-csv-file/m-p/331101#M159820 sbbadri 2020-09-29T15:04:05Z https://community.splunk.com/t5/Splunk-Search/Searching-events-within-a-time-range-from-csv-file/m-p/331102#M159821 <P>Hi @tareddy<BR /> <EM>| inputcsv testCSV.csv</EM> , you will get date(human readable or EPOCH, However you had put them while creating CSV as <STRONG>STRING</STRONG>) , so u need to format string to time using <STRONG>strptime</STRONG> and <STRONG>strftime</STRONG> , once you have it in timeformat. you can use filters to get your desired results </P> Thu, 27 Jul 2017 08:36:37 GMT https://community.splunk.com/t5/Splunk-Search/Searching-events-within-a-time-range-from-csv-file/m-p/331102#M159821 nawneel 2017-07-27T08:36:37Z