https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417319#M168607 <P>I dont have events for these dates but the below dummy search works for me .</P> <PRE><CODE>|makeresults|eval starttime="06/08/2018:00:00:00" |eval endtime="06/08/2018:00:01:00"|eval start_time=strptime(starttime,"%m/%d/%Y:%H:%M:%S") </CODE></PRE> Tue, 03 Jul 2018 05:01:28 GMT renjith_nair 2018-07-03T05:01:28Z https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417314#M168602 <P>I would like to write a query which will start with <CODE>starttime=06/08/2018:00:00:00 endtime=06/08/2018:00:01:00 index=* ...</CODE> and then take <CODE>starttime</CODE> and <CODE>endtime</CODE> as parameters... and create an epoch time in the result.</P> <P>basically every 1 minute I plan to execute </P> <PRE><CODE>starttime=06/08/2018:00:00:00 endtime=06/08/2018:00:01:00 index=* ... starttime=06/08/2018:00:00:00 endtime=06/08/2018:00:02:00 index=* ... starttime=06/08/2018:00:00:00 endtime=06/08/2018:00:03:00 index=* ... ... </CODE></PRE> <P>and I want to get something as a table like</P> <PRE><CODE>1533686460,1 1533686520,1 1533686580,1 ... </CODE></PRE> <P>thanks</P> Mon, 02 Jul 2018 08:00:47 GMT https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417314#M168602 dtakacssplunk 2018-07-02T08:00:47Z https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417315#M168603 <P>Hi @dtakacssplunk,</P> <P>You could either use <CODE>eval starttime=strptime(starttime,"%m/%d/%Y:%H:%M:%S")</CODE> or just <CODE>eval start_time=starttime</CODE> to get the epoch. Similarly for endtime</P> Mon, 02 Jul 2018 12:52:50 GMT https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417315#M168603 renjith_nair 2018-07-02T12:52:50Z https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417316#M168604 <P>I have tried both but 0 events get returned from either:</P> <P>starttime=07/01/2018:00:00:00 endtime=07/01/2018:00:01:00 eval start_time=starttime | table start_time</P> <P>or</P> <P>starttime=07/01/2018:00:00:00 endtime=07/01/2018:00:01:00 eval start_time=strptime(starttime,"%m/%d/%Y:%H:%M:%S") | table start_time</P> <P>I'm using splunk 6.5</P> Tue, 29 Sep 2020 20:15:20 GMT https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417316#M168604 dtakacssplunk 2020-09-29T20:15:20Z https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417317#M168605 <P>Are you getting events for your existing search ie.<CODE>starttime=06/08/2018:00:00:00 endtime=06/08/2018:00:01:00 index=</CODE>. Can you post a sample event result?</P> Tue, 03 Jul 2018 02:21:10 GMT https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417317#M168605 renjith_nair 2018-07-03T02:21:10Z https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417318#M168606 <P>yes definitely I do get results for:<BR /> starttime=06/08/2018:00:00:00 endtime=06/08/2018:00:01:00 index=*<BR /> (put * after index)</P> <P>I cannot post a sample event result. </P> <P>Do the queries I put above work for your splunk instance? </P> Tue, 03 Jul 2018 03:34:17 GMT https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417318#M168606 dtakacssplunk 2018-07-03T03:34:17Z https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417319#M168607 <P>I dont have events for these dates but the below dummy search works for me .</P> <PRE><CODE>|makeresults|eval starttime="06/08/2018:00:00:00" |eval endtime="06/08/2018:00:01:00"|eval start_time=strptime(starttime,"%m/%d/%Y:%H:%M:%S") </CODE></PRE> Tue, 03 Jul 2018 05:01:28 GMT https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417319#M168607 renjith_nair 2018-07-03T05:01:28Z https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417320#M168608 <P>Why would you run a search every minute to look for the last minute? This would be both very wasteful and does not account for forwarding pipeline latency (a typical average latency from when the event happened to when it gets indexed is ~250 seconds, which is longer than 60 seconds). Let's back up and tell us what data you have (SHOW SAMPLE EVENTS) and explain what you are trying to achieve (forget about SPL for now).</P> Mon, 16 Jul 2018 00:41:21 GMT https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417320#M168608 woodcock 2018-07-16T00:41:21Z https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417321#M168609 <P>my intention is to copy events out of splunk into some other store. I would like to periodically run a query and copy the splunk data somewhere else. </P> <P>certain cases the splunk instance is down / times out queries / events show up later then indexing time... </P> <P>usually i could have gotten let's say every hour results and appended to the exported dataset the results. but I do want to upsert. in the upsert key I want to use the starttime </P> <P>anyways seems like starttime / endtime are very special parameters which cannot be used in the table being created</P> Thu, 02 Aug 2018 13:49:12 GMT https://community.splunk.com/t5/Splunk-Search/display-start-and-endtime-in-results/m-p/417321#M168609 dtakacssplunk 2018-08-02T13:49:12Z