Solved: How to pass a time range using API

moe786 · ‎03-05-2019

So I am using the Splunk SDK with Python 3.7.x (splunklib) and am trying to figure out how to ask for data in a certain time range. Right now I'm simply passing it a query, but when I try to pass time, it just ignores the range and sends me all the data for the last few months of data.

Using this to run the job searches:

rr = results.ResultsReader(service.jobs.export(query))

How do I get data from a certain time range using the SDK?

sdchakraborty · ‎03-05-2019

Hi,

In your query itself you can pass earliest and latest time. It will filter accordingly. Something like,

rr = results.ResultsReader(service.jobs.export("search index=_internal earliest=-1h | head 5"))

Sid

View solution in original post

jaywang66 · ‎07-30-2021

This works for me. I plan to do more fine tune on the search filter.

rr = results.ResultsReader(service.jobs.export("search host=App1 index=ftp _indextime>=1627665310 _indextime<1627665313"))

sdchakraborty · ‎03-05-2019

Hi,

In your query itself you can pass earliest and latest time. It will filter accordingly. Something like,

rr = results.ResultsReader(service.jobs.export("search index=_internal earliest=-1h | head 5"))

Sid

moe786 · ‎03-05-2019

Do I need to worry about stuff like the time format or having it in %H-%M-%S format or something?

sdchakraborty · ‎03-05-2019

I think you need to convert them to epoch format before you pass them to earliest or latest.

moe786 · ‎03-05-2019

So it would be earliest=-epochformedtime ?

sdchakraborty · ‎03-05-2019

when you are giving epoch for earliest and latest no need to give negative number.

moe786 · ‎03-05-2019

okay tyvm

sdchakraborty · ‎03-05-2019

Hi,

If you fine with the answer please accept it as answer. I have converted my comment as answer.

Sid

How to pass a time range using API

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM