topic Re: events between a specific time in Splunk Search

events between a specific time

smolcj — Tue, 04 Dec 2012 06:18:11 GMT

hi all,
how can i query , so that i could be able to get events between a specific time.t the time willbe dynamic so that i cant use earliest or latest time options
please help
thank you

Re: events between a specific time

Drainy — Tue, 04 Dec 2012 09:11:15 GMT

We'd need more detail than this, do you have a search already? where will the time be coming from? will this be in a dashboard/form?

Re: events between a specific time

smolcj — Mon, 28 Sep 2020 12:54:28 GMT

source=src.txt START | append [search index=main source=src.txt | search END]
this is my search query and i will get start and end events but not the events between thenm. i tried appending |search _time>=earliest(_time) _time<=latest(_time)
please help me with a good search
thank you

Re: events between a specific time

Ayn — Tue, 04 Dec 2012 10:34:34 GMT

Is there a specific reason for not using transaction for this?

Also what do the times have to do with this? The way I see it you just want to fetch everything between an event containing "START" and an event containing "END"?

Re: events between a specific time

smolcj — Tue, 04 Dec 2012 12:04:43 GMT

the values are occuring multiple times i.e
i need the duration between start and end but i will have 3 or 4 pairs of the same repeated in the log.

Re: events between a specific time

kristian_kolb — Tue, 04 Dec 2012 13:45:26 GMT

Some actual data would be beneficial, but transaction can come a long way in getting this sorted out. There are several types of constraints to limit the 'greediness'.

Re: events between a specific time

dart — Wed, 05 Dec 2012 18:25:02 GMT

I'd try source=src.txt | transaction startswith="START" endswith="END"

Re: events between a specific time

smolcj — Thu, 06 Dec 2012 07:32:46 GMT

this works well for certain number of events, if the number of events is more, i am getting the output as
"Nothing to inspect "

Re: events between a specific time

Drainy — Thu, 06 Dec 2012 08:35:37 GMT

What is this mysterious "certain number" of events? You really need to think how others will read or understand your questions or comments before posting them, they need to actually advance our understanding of the problem in order to help 😉 Have a read of the transaction docs, there are a number of limits which the command can hit while running, you may just need to override them with more suitable values. http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction

Re: events between a specific time

smolcj — Thu, 06 Dec 2012 11:01:34 GMT

sorry i was trying with maxspan=the number of events i nedd, it has to be exactly the events in the returned search result. maxevents=8000 worked well.
thank you
drainy,
I think if people didnt understand the comment/question they can ask it, that is the need of an interactive forum , i felt my question was quite ok to understand, and i am sorry for my bad english. will try to improve.
thank you

Re: events between a specific time

Drainy — Thu, 06 Dec 2012 11:02:59 GMT

Not quite, if you ever say things like, "certain number" or "my query" then it should set alarm bells ringing, those should be a number or a query. Without the detail there is nothing anyone can do but ask you a question instead of offering an answer, which defeats the point of you asking something to begin with 🙂

Re: events between a specific time

Drainy — Thu, 06 Dec 2012 11:19:44 GMT

Also, why are you posting on here under multiple usernames? You'd have more karma if you just kept to a single user