Developing for Splunk Enterprise

How to pass a time range using API

Explorer

So I am using the Splunk SDK with Python 3.7.x (splunklib) and am trying to figure out how to ask for data in a certain time range. Right now I'm simply passing it a query, but when I try to pass time, it just ignores the range and sends me all the data for the last few months of data.

Using this to run the job searches:

rr = results.ResultsReader(service.jobs.export(query))

How do I get data from a certain time range using the SDK?

0 Karma
1 Solution

Contributor

Hi,

In your query itself you can pass earliest and latest time. It will filter accordingly. Something like,

rr = results.ResultsReader(service.jobs.export("search index=_internal earliest=-1h | head 5"))

Sid

View solution in original post

Contributor

Hi,

In your query itself you can pass earliest and latest time. It will filter accordingly. Something like,

rr = results.ResultsReader(service.jobs.export("search index=_internal earliest=-1h | head 5"))

Sid

View solution in original post

Explorer

Do I need to worry about stuff like the time format or having it in %H-%M-%S format or something?

0 Karma

Contributor

I think you need to convert them to epoch format before you pass them to earliest or latest.

0 Karma

Explorer

So it would be earliest=-epochformedtime ?

0 Karma

Contributor

when you are giving epoch for earliest and latest no need to give negative number.

0 Karma

Explorer

okay tyvm

0 Karma

Contributor

Hi,

If you fine with the answer please accept it as answer. I have converted my comment as answer.

Sid

0 Karma