topic Re: Specifying a date range in field extraction window in Splunk Search

Specifying a date range in field extraction window

Spiere — Mon, 18 Jan 2016 19:31:10 GMT

Hey guys,

I am looking through a very very very large log of files for events. In the normal search screen, you can specify date ranges for your search, but in the field extraction screen, I cannot specify a range of dates to search through when I am searching for the sample event using the filter, so it searches through all (something like 200 million) events in order to find the string I am searching for. I know the date the event occurs on, and can find it in a normal search instantly, but not with the field extraction screen.

I have tried adding earliest=10/19/2009:0:0:0 latest=01/17/2016:0:0:0 to find the events, but it always just returns 0 events (before 1/18/16 7:29:48.000 PM). Is there a way to specify date ranges inside of the field extraction filter so that I dont have to filter through everything?

When I add that filter from above, I am searching for an event structured like this Jan 15 13:54:23 |actual error message|

Thanks

Re: Specifying a date range in field extraction window

somesoni2 — Mon, 18 Jan 2016 20:38:10 GMT

What version of Splunk you're using??

Re: Specifying a date range in field extraction window

Spiere — Mon, 18 Jan 2016 20:41:22 GMT

Splunk Enterprise Server 6.3.2

The filter they give only goes back 1 week, I need to go back months.

Re: Specifying a date range in field extraction window

Richfez — Mon, 18 Jan 2016 21:03:04 GMT

If I perform a search and drill my way down to a particular time frame (In my currently open test on my laptop - " 2 events (12/15/15 1:00:00.000 AM to 12/15/15 2:00:00.000 AM) "), then click "Extract New Fields" from the bottom of the fields list on the left, it takes me to a "Extract Fields, Select Sample" page with only the two events I had selected showing.

I can change my timeframe in search and repeat clicking the "Extract New Fields" with various numbers of events showing, but always that count matches what I had displayed in the search before.

Does it not do this for you? Are you getting to the field extractor via some other method?

Re: Specifying a date range in field extraction window

Spiere — Tue, 19 Jan 2016 18:20:48 GMT

Ah that did it. I was manually navigating to it through the settings menu. Thank you.

Re: Specifying a date range in field extraction window

Spiere — Tue, 19 Jan 2016 18:21:37 GMT

If you post that as an answer ill accept it.

Re: Specifying a date range in field extraction window

Richfez — Tue, 19 Jan 2016 18:26:57 GMT

Done, thanks, and glad I could help!