Splunk Dev

How to pass a time range using API

moe786
Explorer

So I am using the Splunk SDK with Python 3.7.x (splunklib) and am trying to figure out how to ask for data in a certain time range. Right now I'm simply passing it a query, but when I try to pass time, it just ignores the range and sends me all the data for the last few months of data.

Using this to run the job searches:

rr = results.ResultsReader(service.jobs.export(query))

How do I get data from a certain time range using the SDK?

0 Karma
1 Solution

sdchakraborty
Contributor

Hi,

In your query itself you can pass earliest and latest time. It will filter accordingly. Something like,

rr = results.ResultsReader(service.jobs.export("search index=_internal earliest=-1h | head 5"))

Sid

View solution in original post

jaywang66
Loves-to-Learn

This works for me. I plan to do more fine tune on the search filter.

rr = results.ResultsReader(service.jobs.export("search host=App1 index=ftp _indextime>=1627665310 _indextime<1627665313"))

0 Karma

sdchakraborty
Contributor

Hi,

In your query itself you can pass earliest and latest time. It will filter accordingly. Something like,

rr = results.ResultsReader(service.jobs.export("search index=_internal earliest=-1h | head 5"))

Sid

moe786
Explorer

Do I need to worry about stuff like the time format or having it in %H-%M-%S format or something?

0 Karma

sdchakraborty
Contributor

I think you need to convert them to epoch format before you pass them to earliest or latest.

0 Karma

moe786
Explorer

So it would be earliest=-epochformedtime ?

0 Karma

sdchakraborty
Contributor

when you are giving epoch for earliest and latest no need to give negative number.

0 Karma

moe786
Explorer

okay tyvm

0 Karma

sdchakraborty
Contributor

Hi,

If you fine with the answer please accept it as answer. I have converted my comment as answer.

Sid

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...