how can i query , so that i could be able to get events between a specific time.t the time willbe dynamic so that i cant use earliest or latest time options
Not quite, if you ever say things like, "certain number" or "my query" then it should set alarm bells ringing, those should be a number or a query. Without the detail there is nothing anyone can do but ask you a question instead of offering an answer, which defeats the point of you asking something to begin with 🙂
sorry i was trying with maxspan=the number of events i nedd, it has to be exactly the events in the returned search result. maxevents=8000 worked well.
I think if people didnt understand the comment/question they can ask it, that is the need of an interactive forum , i felt my question was quite ok to understand, and i am sorry for my bad english. will try to improve.
What is this mysterious "certain number" of events? You really need to think how others will read or understand your questions or comments before posting them, they need to actually advance our understanding of the problem in order to help 😉 Have a read of the transaction docs, there are a number of limits which the command can hit while running, you may just need to override them with more suitable values. http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction
Some actual data would be beneficial, but transaction can come a long way in getting this sorted out. There are several types of constraints to limit the 'greediness'.
Is there a specific reason for not using
transaction for this?
Also what do the times have to do with this? The way I see it you just want to fetch everything between an event containing "START" and an event containing "END"?
source=src.txt START | append [search index=main source=src.txt | search END]
this is my search query and i will get start and end events but not the events between thenm. i tried appending |search _time>=earliest(_time) _time<=latest(_time)
please help me with a good search