https://community.splunk.com/t5/Splunk-Search/how-can-pass-a-date-to-search-index-to-pull-the-incremental-data/m-p/465887#M191763 <P>Splunk does not keep anything like a record number, to allow you to track the last record pulled and continue from there. <BR /> Since events can arrive well after the were generated, using the events time as the filter will cause you to miss events received late.</P> <P>Start=$End_Previous_Run$+1<BR /> End=now()-5m</P> <P>Then using those timeframes in your splunk search:<BR /> index=* criteria _index_earliest=$Start _index_latest=$End</P> <P>Doing this should simulate a incremental pull of the data. </P> <P>The format of the date sent can be in epoch time, which I recommend:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/SearchTimeModifiers" target="_blank">https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/SearchTimeModifiers</A></P> Wed, 30 Sep 2020 01:57:37 GMT solarboyz1 2020-09-30T01:57:37Z https://community.splunk.com/t5/Splunk-Search/how-can-pass-a-date-to-search-index-to-pull-the-incremental-data/m-p/465886#M191762 <P>i am trying to pull the data from splunk index using python and it triggers every 5 min. So i need to fetch the new data for the every run , nothing but an incremental data pull.</P> Thu, 29 Aug 2019 14:47:20 GMT https://community.splunk.com/t5/Splunk-Search/how-can-pass-a-date-to-search-index-to-pull-the-incremental-data/m-p/465886#M191762 nikilkatturi 2019-08-29T14:47:20Z https://community.splunk.com/t5/Splunk-Search/how-can-pass-a-date-to-search-index-to-pull-the-incremental-data/m-p/465887#M191763 <P>Splunk does not keep anything like a record number, to allow you to track the last record pulled and continue from there. <BR /> Since events can arrive well after the were generated, using the events time as the filter will cause you to miss events received late.</P> <P>Start=$End_Previous_Run$+1<BR /> End=now()-5m</P> <P>Then using those timeframes in your splunk search:<BR /> index=* criteria _index_earliest=$Start _index_latest=$End</P> <P>Doing this should simulate a incremental pull of the data. </P> <P>The format of the date sent can be in epoch time, which I recommend:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/SearchTimeModifiers" target="_blank">https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/SearchTimeModifiers</A></P> Wed, 30 Sep 2020 01:57:37 GMT https://community.splunk.com/t5/Splunk-Search/how-can-pass-a-date-to-search-index-to-pull-the-incremental-data/m-p/465887#M191763 solarboyz1 2020-09-30T01:57:37Z https://community.splunk.com/t5/Splunk-Search/how-can-pass-a-date-to-search-index-to-pull-the-incremental-data/m-p/465888#M191764 <P>Thanks for the answer. In what format should i pass the date ?</P> Tue, 10 Sep 2019 15:24:09 GMT https://community.splunk.com/t5/Splunk-Search/how-can-pass-a-date-to-search-index-to-pull-the-incremental-data/m-p/465888#M191764 nikilkatturi 2019-09-10T15:24:09Z https://community.splunk.com/t5/Splunk-Search/how-can-pass-a-date-to-search-index-to-pull-the-incremental-data/m-p/465889#M191765 <P>I would use Epoch or Unix time:<BR /> <A href="https://en.wikipedia.org/wiki/Unix_time">https://en.wikipedia.org/wiki/Unix_time</A></P> Tue, 10 Sep 2019 16:36:26 GMT https://community.splunk.com/t5/Splunk-Search/how-can-pass-a-date-to-search-index-to-pull-the-incremental-data/m-p/465889#M191765 solarboyz1 2019-09-10T16:36:26Z