topic Re: What's the correct search syntax for my earliest and latest date range? in Splunk Search

What's the correct search syntax for my earliest and latest date range?

kgreat — Sun, 08 Mar 2015 08:25:11 GMT

For example, I need to search for all rehire dates between 12-01-2014 through 12-31-2014

"rehire date"=earliest="12/01/2014:00:00:00" latest="12/31/2014:00:00:00"

What am I doing wrong in the above syntax?

Re: What's the correct search syntax for my earliest and latest date range?

martin_mueller — Sun, 08 Mar 2015 11:03:21 GMT

Drop the equals sign between your string "rehire date" and the earliest="..." and you should be good.

Edit: Now that rehire_date has been confirmed as an extracted field that's different from _time, using the earliest and latest filters is not going to work. Instead, you'll need to set your time range as wide as necessary to match your event's _time values and run a search like this:

keywords that identify your events | where rehire_date >= strptime("12/01/2014", "%m/%d/%Y") AND rehire_date < strptime("01/01/2015", "%m/%d/%Y")

Note, I have added a day to the end because you mentioned "through 12/31/2014", implying that rehires that happen on the 31st should still be found.

Re: What's the correct search syntax for my earliest and latest date range?

kgreat — Sun, 08 Mar 2015 18:27:16 GMT

Remove the equal sign after the "rehire date" ?

For example,

"rehire date" earliest="12/01/2014:00:00:00" latest="12/31/2014:00:00:00"

Or should I be adding another "=" between

I'm trying to find all rehires between 12/01/2014 through 12/31/2014. I'm getting 0 events when I know I should between getting at least 4 people that come up.

Re: What's the correct search syntax for my earliest and latest date range?

somesoni2 — Sun, 08 Mar 2015 20:17:51 GMT

Is "rehire date" an extracted field? Is timestamp for your events is same as "rehire date" ? Can you post some sample entries?

Re: What's the correct search syntax for my earliest and latest date range?

kgreat — Mon, 09 Mar 2015 06:33:58 GMT

Yes, the "rehire date" is an extracted field. The timestamp of the events is a different date as the "rehire date

to post the sample I'd have to reproduce something fake.

Re: What's the correct search syntax for my earliest and latest date range?

srinathd — Mon, 28 Sep 2020 19:07:54 GMT

you have to change the earliest and latest values in the below query and try

eval begindate="$earliest$" | eval epochdaystart=if(isnum(begindate), begindate, relative_time(now(), begindate)) | eval epochdaystart= strftime(epochdaystart,"%Y%m%d") | eval dateepoch=strftime(_time,"%Y%m%d") | eval latest="$latest$" | eval enddate=if(latest=="now","@d",latest) | eval epochdayend=if(isnum(enddate), enddate, relative_time(now(), enddate)) | eval epochdayend= strftime(epochdayend,"%Y%m%d") | where dateepoch >=epochdaystart AND dateepoch <=epochdayend

Re: What's the correct search syntax for my earliest and latest date range?

martin_mueller — Wed, 11 Mar 2015 20:27:16 GMT

I have updated my answer to reflect that the rehire date is in fact not the timestamp of the event but rather an unrelated extracted field.

Re: What's the correct search syntax for my earliest and latest date range?

kgreat — Sun, 15 Mar 2015 20:25:34 GMT

Thank you! I was able to find the correct number of people using the following:

"Rehire Date">="2014/12/01 00:00:00" AND "Rehire Date"<"2015/01/01 00:00:00"