Archive2

Using _indextime to specify time range.

Path Finder

Any chance I can specify earliest/latest on _indextime (the time the event was indexed) instead of _time (event time)? I'm thinking no...

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

UPDATE -

In splunk 5+ you can use time modifiers for index time

_index_earliest=-h@h _index_latest=@h

dmj

No, you can't. You can search/filter on _indextime:

_indextime > 126390000 _indextime <1263967510

but the Splunk index itself is organized by _time, so you would still need to specify a range for it conventionally (and if you wanted all time, it would have to look through all time.) And your results would come back ordered by _time, so you'd then need to sort.

View solution in original post

Builder

In splunk 5+ you can use time modifiers for index time

_index_earliest=-h@h _index_latest=@h

http://blogs.splunk.com/2013/09/26/an-introduction-to-the-theory-or-relative-time-modifiers-for-_ind...

SplunkTrust
SplunkTrust

Splunk Employee
Splunk Employee

UPDATE -

In splunk 5+ you can use time modifiers for index time

_index_earliest=-h@h _index_latest=@h

dmj

No, you can't. You can search/filter on _indextime:

_indextime > 126390000 _indextime <1263967510

but the Splunk index itself is organized by _time, so you would still need to specify a range for it conventionally (and if you wanted all time, it would have to look through all time.) And your results would come back ordered by _time, so you'd then need to sort.

View solution in original post

Motivator

This is only true for Splunk earlier than version 5.

Contributor

Can you clarify what you mean by _indextime? The time at which the event was indexed, or some other time property of the containing index?

0 Karma
Reply
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!