Getting Data In

Can I set earliest/latest times in the JobArgs using %m/%d/%Y:%H:%M:%S format?

Explorer

If i give an absolute time as documented in this documentation (http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Specifytimemodifiersinyoursearch ) via the JobArgs, the search job fails. Anyone ever get it to work using the absolute time format?

I can work around it but would be easiest to just give the search a date and time in a human readable format.

Thanks!

1 Solution

Explorer

Based on the java doc, the default format for the absolute timestamp you can pass in is ISO-8601 (tried and confirmed).
Additionally, it seems you can set the format of the time you want to pass in to the JobArgs:

public void setTimeFormat(java.lang.String timeFormat) : Sets the format for converting a formatted time string from {start,end}_time into UTC seconds. The default value is ISO-8601.
Parameters: timeFormat - The time format string

http://docs.splunk.com/Documentation/JavaSDK

Thanks for your inputs!

View solution in original post

Explorer

Based on the java doc, the default format for the absolute timestamp you can pass in is ISO-8601 (tried and confirmed).
Additionally, it seems you can set the format of the time you want to pass in to the JobArgs:

public void setTimeFormat(java.lang.String timeFormat) : Sets the format for converting a formatted time string from {start,end}_time into UTC seconds. The default value is ISO-8601.
Parameters: timeFormat - The time format string

http://docs.splunk.com/Documentation/JavaSDK

Thanks for your inputs!

View solution in original post

Influencer

Starting with a comment, because I haven't used the Java SDK much so am working off docs and intuition... But I wonder if you need to supply a timeformat through JobArgs#setTimeFormat(String) when you provide your formatted string. Maybe it's not defaulted as timeformat is in splunk ?

Path Finder

I need to do something similar:

i want to redirect my web page to splunk search page

I'm using this URL:

http://x.x.x.x:xxxx/en-US/app/xxxx/search?earliest=05/11/2015:16:44:28&latest=05/11/2015:16:46:15&q=...

But I keep getting "Invalid earliest_time".

When I perform the search in Splunk search page, I see this URL in the browser: http://x.x.x.x:xxxx/en-US/app/xxxx/search?earliest=1431351868&latest=1431351975&q=search%20YYG3XVJEU...

My question is, how does Splunk transform this earliest=05/11/2015:16:44:28 To earliest=1431351868? I'm working with Java. I tried sending the date long value in the request, but still got the same error...

Thanks,

0 Karma

Explorer

Just saw your comment and I can confirm that the timeformat you can suppy via SDK is defaulted to ISO-8601.

I wonder why that information is not a part of the set(Latest/Earliest)Time method definitions?
Could have saved me some time!!

0 Karma

Motivator

Yes! But you must write the times in Unix (epoch) time or relative time notation : Something like this 1389722400 The epoch time value you enter is converted to local time. This timestamp is displayed under the text field so that you can verify your entry.

http://docs.splunk.com/Documentation/Splunk/6.2.3/Search/Selecttimerangestoapply

0 Karma

Explorer

I can work with epoch time just fine...my question is if there is a way to set the time in a human readable format (%m/%d/%Y:%H:%M:%S) rather than have to convert a local timestamp to epoch time. The current use case allows the setting of earliest/latest date via an application configuration file.

The setting below fails:

theSearchArgs.setLatestTime("05/20/2015:04:04:04");
theSearchArgs.setEarliestTime("05/20/2015:04:04:04");

This method below works just fine:

theSearchArgs.setLatestTime("1389722400");
theSearchArgs.setEarliestTime("1389722400");

I realize I can do the timestamp conversion within Java (and will at some point) but, for my current use case, I'm asking if we can supply the timestamp in the %m/%d/%Y:%H:%M:%S format.

Thanks!

EDIT: Splunk java doc says this:

> InputStream com.splunk.Service.oneshotSearch(String query, Args args)

Parameters:
query The search query.
args The search arguments:
"output_mode": Specifies the output format of the results (XML, JSON, or CSV).
"earliest_time": Specifies the earliest time in the time range to search. The time string can be a UTC time (with fractional seconds), a relative time specifier (to now), or a formatted time string.
"latest_time": Specifies the latest time in the time range to search. The time string can be a UTC time (with fractional seconds), a relative time specifier (to now), or a formatted time string.
"rf": Specifies one or more fields to add to the search.

0 Karma