Developing for Splunk Enterprise

How to pass a time range using API

Explorer

So I am using the Splunk SDK with Python 3.7.x (splunklib) and am trying to figure out how to ask for data in a certain time range. Right now I'm simply passing it a query, but when I try to pass time, it just ignores the range and sends me all the data for the last few months of data.

Using this to run the job searches:

rr = results.ResultsReader(service.jobs.export(query))

How do I get data from a certain time range using the SDK?

0 Karma
1 Solution

Contributor

Hi,

In your query itself you can pass earliest and latest time. It will filter accordingly. Something like,

rr = results.ResultsReader(service.jobs.export("search index=_internal earliest=-1h | head 5"))

Sid

View solution in original post

Contributor

Hi,

In your query itself you can pass earliest and latest time. It will filter accordingly. Something like,

rr = results.ResultsReader(service.jobs.export("search index=_internal earliest=-1h | head 5"))

Sid

View solution in original post

Explorer

Do I need to worry about stuff like the time format or having it in %H-%M-%S format or something?

0 Karma

Contributor

I think you need to convert them to epoch format before you pass them to earliest or latest.

0 Karma

Explorer

So it would be earliest=-epochformedtime ?

0 Karma

Contributor

when you are giving epoch for earliest and latest no need to give negative number.

0 Karma

Explorer

okay tyvm

0 Karma

Contributor

Hi,

If you fine with the answer please accept it as answer. I have converted my comment as answer.

Sid

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!