Developing for Splunk Enterprise
Highlighted

How do I pass a specific time to a search run with the Python SDK?

Path Finder

I have read the time modifier documentation here: https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/SearchReference/SearchTimeModifiers#_time...

kwargs_export = {"earliest_time": "10/5/2016:20:00:00",
                 "latest_time": "now",
                 "search_mode": "normal"}

This is what I am passing for my search. I copy and pasted the date format exactly as it is in the documentation and I am getting the below error.

splunklib.binding.HTTPError: HTTP 400 Bad Request -- Invalid earliest_time.

Am I missing something? Any help is greatly appreciated! Thanks!

EDIT:

For those in the future looking for the answer, example below will work as expected.

kwargs_export = {"earliest_time": "2017-01-24T07:20:38.000-05:00",
                 "latest_time": "now",
                 "search_mode": "normal"}
0 Karma
Highlighted

Re: How do I pass a specific time to a search run with the Python SDK?

SplunkTrust
SplunkTrust

To my knowledge there isn't an earliesttime or latesttime. Instead I believe you should be using earliest and latest without _time appended.

View solution in original post

Highlighted

Re: How do I pass a specific time to a search run with the Python SDK?

Path Finder

Ah. Fantastic, thanks. That was the error preventing it from running...Any idea why it doesn't stop at the specified latest value, "now"?.

0 Karma
Highlighted

Re: How do I pass a specific time to a search run with the Python SDK?

SplunkTrust
SplunkTrust

When I want "now" in splunk i typically use "now()". Have you tried that?

0 Karma
Highlighted

Re: How do I pass a specific time to a search run with the Python SDK?

Path Finder

Whoops, I meant specified earliest value. It doesn't stop returning log files when the search reaches the specified earliest value. That was my mistake.

0 Karma
Highlighted

Re: How do I pass a specific time to a search run with the Python SDK?

SplunkTrust
SplunkTrust

Does earliest=now() work?

0 Karma
Highlighted

Re: How do I pass a specific time to a search run with the Python SDK?

Path Finder

Apparently with the python SDK you need to specify the time in UTC format. That was my issue. Thanks for the help!

0 Karma