Archive

Query time modifier

Path Finder

I have a saved search and I would like to limit the output to a specific timeframe- but unfortunately I am getting complete results and not the time range alone I want. | savedsearch test earliest=1355052259 latest=1355055859

(I am using sdk Splunk Java and I'm unable to get desired results either from sdk splunk java or from splunk web UI). Kindly help.

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Your search does not have placeholders $earliest$ and $latest$, so doing

| savedsearch test earliest=1355052259 latest=1355055859

makes no variable substitutions for earliest and latest happen.

View solution in original post

SplunkTrust
SplunkTrust

Your search does not have placeholders $earliest$ and $latest$, so doing

| savedsearch test earliest=1355052259 latest=1355055859

makes no variable substitutions for earliest and latest happen.

View solution in original post

Path Finder

Thank you.

0 Karma

Path Finder

index="ia" sourcetype="test1" OR sourcetype="test2" | transaction fields="myfield" startswith="started" endswith="ended" | search index=ia duration>5 |convert ctime(_time) as Time | sort by Time

duration is an extracted field

0 Karma

SplunkTrust
SplunkTrust

What's your search?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!