Archive

events between a specific time

Builder

hi all,
how can i query , so that i could be able to get events between a specific time.t the time willbe dynamic so that i cant use earliest or latest time options
please help
thank you

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

I'd try source=src.txt | transaction startswith="START" endswith="END"

View solution in original post

Splunk Employee
Splunk Employee

I'd try source=src.txt | transaction startswith="START" endswith="END"

View solution in original post

Champion

Also, why are you posting on here under multiple usernames? You'd have more karma if you just kept to a single user

0 Karma

Champion

Not quite, if you ever say things like, "certain number" or "my query" then it should set alarm bells ringing, those should be a number or a query. Without the detail there is nothing anyone can do but ask you a question instead of offering an answer, which defeats the point of you asking something to begin with 🙂

Builder

sorry i was trying with maxspan=the number of events i nedd, it has to be exactly the events in the returned search result. maxevents=8000 worked well.
thank you
drainy,
I think if people didnt understand the comment/question they can ask it, that is the need of an interactive forum , i felt my question was quite ok to understand, and i am sorry for my bad english. will try to improve.
thank you

0 Karma

Champion

What is this mysterious "certain number" of events? You really need to think how others will read or understand your questions or comments before posting them, they need to actually advance our understanding of the problem in order to help 😉 Have a read of the transaction docs, there are a number of limits which the command can hit while running, you may just need to override them with more suitable values. http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/transaction

Builder

this works well for certain number of events, if the number of events is more, i am getting the output as
"Nothing to inspect "

0 Karma

Ultra Champion

Some actual data would be beneficial, but transaction can come a long way in getting this sorted out. There are several types of constraints to limit the 'greediness'.

0 Karma

Builder

the values are occuring multiple times i.e
i need the duration between start and end but i will have 3 or 4 pairs of the same repeated in the log.

0 Karma

Legend

Is there a specific reason for not using transaction for this?

Also what do the times have to do with this? The way I see it you just want to fetch everything between an event containing "START" and an event containing "END"?

0 Karma

Builder

source=src.txt START | append [search index=main source=src.txt | search END]
this is my search query and i will get start and end events but not the events between thenm. i tried appending |search _time>=earliest(_time) _time<=latest(_time)
please help me with a good search
thank you

0 Karma

Champion

We'd need more detail than this, do you have a search already? where will the time be coming from? will this be in a dashboard/form?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!