Solved: how can pass a date to search index to pull the in...

nikilkatturi · ‎08-29-2019

i am trying to pull the data from splunk index using python and it triggers every 5 min. So i need to fetch the new data for the every run , nothing but an incremental data pull.

solarboyz1 · ‎08-29-2019

Splunk does not keep anything like a record number, to allow you to track the last record pulled and continue from there.
Since events can arrive well after the were generated, using the events time as the filter will cause you to miss events received late.

Start=$End_Previous_Run$+1
End=now()-5m

Then using those timeframes in your splunk search:
index=* criteria _index_earliest=$Start _index_latest=$End

Doing this should simulate a incremental pull of the data.

The format of the date sent can be in epoch time, which I recommend:
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/SearchTimeModifiers

View solution in original post

solarboyz1 · ‎08-29-2019

Splunk does not keep anything like a record number, to allow you to track the last record pulled and continue from there.
Since events can arrive well after the were generated, using the events time as the filter will cause you to miss events received late.

Start=$End_Previous_Run$+1
End=now()-5m

Then using those timeframes in your splunk search:
index=* criteria _index_earliest=$Start _index_latest=$End

Doing this should simulate a incremental pull of the data.

The format of the date sent can be in epoch time, which I recommend:
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/SearchTimeModifiers

nikilkatturi · ‎09-10-2019

Thanks for the answer. In what format should i pass the date ?

solarboyz1 · ‎09-10-2019

I would use Epoch or Unix time:
https://en.wikipedia.org/wiki/Unix_time

how can pass a date to search index to pull the incremental data

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life