Archive2
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using _indextime to specify time range.

dinh
Path Finder
‎01-20-2010 05:28 AM

Any chance I can specify earliest/latest on _indextime (the time the event was indexed) instead of _time (event time)? I'm thinking no...

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-20-2010 06:07 AM

UPDATE -

In splunk 5+ you can use time modifiers for index time

_index_earliest=-h@h _index_latest=@h

dmj

No, you can't. You can search/filter on _indextime:

_indextime > 126390000 _indextime <1263967510

but the Splunk index itself is organized by _time, so you would still need to specify a range for it conventionally (and if you wanted all time, it would have to look through all time.) And your results would come back ordered by _time, so you'd then need to sort.

View solution in original post

Reply
Solved! Jump to solution

cramasta
Builder
‎10-01-2014 06:07 PM

In splunk 5+ you can use time modifiers for index time

_index_earliest=-h@h _index_latest=@h

http://blogs.splunk.com/2013/09/26/an-introduction-to-the-theory-or-relative-time-modifiers-for-_ind...

Reply
Solved! Jump to solution

dshpritz
SplunkTrust
SplunkTrust
‎07-13-2017 07:44 AM

After they messed with the blog, here is the new link: https://www.splunk.com/blog/2013/09/26/an-introduction-to-the-theory-or-relative-time-modifiers-for-...

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-20-2010 06:07 AM

UPDATE -

In splunk 5+ you can use time modifiers for index time

_index_earliest=-h@h _index_latest=@h

dmj

No, you can't. You can search/filter on _indextime:

_indextime > 126390000 _indextime <1263967510

but the Splunk index itself is organized by _time, so you would still need to specify a range for it conventionally (and if you wanted all time, it would have to look through all time.) And your results would come back ordered by _time, so you'd then need to sort.

View solution in original post

Reply
Solved! Jump to solution

Jason
Motivator
‎01-19-2015 07:08 AM

This is only true for Splunk earlier than version 5.

Reply
Solved! Jump to solution

Johnvey
Contributor
‎01-20-2010 05:46 AM

Can you clarify what you mean by _indextime? The time at which the event was indexed, or some other time property of the containing index?

0 Karma
Reply
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!