All Apps and Add-ons
Highlighted

Can we pass earliest and latest time in subsearch as Y-m-d H:M:S format

Contributor

I have scenario to pass earliest and latest time in my subsearch until milliseconds. How can we achieve that. where has my main search runs for past 5 days

Tags (1)
0 Karma
Highlighted

Re: Can we pass earliest and latest time in subsearch as Y-m-d H:M:S format

SplunkTrust
SplunkTrust

Hi ankithreddy777,

You can set earliest=-15m and latest =now in sub search by using below subsearch.

[
    <<your_search>> earliest=-15m latest=now
]

In your case, as I understand, you have earliest and latest in "Y-m-d H:M:S" format. So here I used return command to convert date in epochtime and take use it in search filter. Then subsearch is :

[
 <<your_search>>  [ | makeresults | eval earliest=strptime("2017-02-01 00:01:01","%Y-%m-%d %H:%M:%S"),latest=strptime("2017-02-01 00:11:01","%Y-%m-%d %H:%M:%S") | return 1 earliest latest] 
]

Please change in strptime format if required.

So can you please try this search.

Thanks
Kamlesh

View solution in original post

Highlighted

Re: Can we pass earliest and latest time in subsearch as Y-m-d H:M:S format

Contributor

Hi Kamlesh,
Can we pass the time until milliseconds. My requirement is that I need to pass values until milliseconds. Other wise I would have used epochtime. My earliest and latest times can be in any format. But I need to pass until milliseconds. Ex: 2017-02-01 00:11:01.587 OR 02/01/2017:00:11:01.587.

0 Karma
Highlighted

Re: Can we pass earliest and latest time in subsearch as Y-m-d H:M:S format

SplunkTrust
SplunkTrust

Hi
Yes .
You can format it using :
| eval earliest=strptime("2017-02-01 00:01:01.587","%Y-%m-%d %H:%M:%S.%3Q")
OR
| eval earliest==strptime("02/01/2017:00:11:01.587","%d/%m/%Y:%H:%M:%S.%3Q")

Please see Date Time format for other date time format. It will help you lot.

Thanks
Kamlesh

0 Karma
Highlighted

Re: Can we pass earliest and latest time in subsearch as Y-m-d H:M:S format

Contributor

thanks a lot

0 Karma
Highlighted

Re: Can we pass earliest and latest time in subsearch as Y-m-d H:M:S format

SplunkTrust
SplunkTrust

HI,

if your problem is solved, then kindly accept the answer as It would be helpful to the community.

Thanks
Kamlesh

0 Karma