Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

query for time

DTERM
Contributor
‎05-17-2011 10:01 AM

I need a query that will extract all log data between (say) 10:00 PM and 10:00 AM. What is the best way to accomplish this?

TIA

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎05-17-2011 10:06 AM 
 index=* earliest=05/16/2011:22:0:0 latest=05/17/2011:10:0:0

http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch

Specify absolute time ranges in your search

When searching or saving a search, you can specify time ranges using the following attributes:

earliest=<time_modifier> 
latest=<time_modifier>

For exact time ranges, the syntax of time_modifier is: %m/%d/%Y:%H:%M:%S. For example, to specify a time range from 12AM October 19, 2009 to 12AM October 27, 2009:

earliest=10/19/2009:0:0:0 latest=10/27/2009:0:0:0

If you specify only the "earliest" attribute, "latest" is set to the current time (now) by default. In general, you won't specify "latest" without an "earliest" time.

Important: When you specify a time range in your search or saved search, it overrides the time range that is selected in the dropdown menu. However, the time range specified directly in the search string will not apply to subsearches (but the dropdown selected range will apply).

View solution in original post

Reply
Solved! Jump to solution
Solution

jbsplunk
Splunk Employee
Splunk Employee
‎05-17-2011 10:06 AM 
 index=* earliest=05/16/2011:22:0:0 latest=05/17/2011:10:0:0

http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch

Specify absolute time ranges in your search

When searching or saving a search, you can specify time ranges using the following attributes:

earliest=<time_modifier> 
latest=<time_modifier>

For exact time ranges, the syntax of time_modifier is: %m/%d/%Y:%H:%M:%S. For example, to specify a time range from 12AM October 19, 2009 to 12AM October 27, 2009:

earliest=10/19/2009:0:0:0 latest=10/27/2009:0:0:0

If you specify only the "earliest" attribute, "latest" is set to the current time (now) by default. In general, you won't specify "latest" without an "earliest" time.

Important: When you specify a time range in your search or saved search, it overrides the time range that is selected in the dropdown menu. However, the time range specified directly in the search string will not apply to subsearches (but the dropdown selected range will apply).

Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎05-17-2011 10:53 AM

That ought to do it.

0 Karma
Reply
Solved! Jump to solution

MarioM
Motivator
‎05-17-2011 10:47 AM

thanks! for the original question example it will be something like

'earliest=@d-2h latest=@d+10' ?

Reply
Solved! Jump to solution

jbsplunk
Splunk Employee
Splunk Employee
‎05-17-2011 10:34 AM

It does not have to include a date. Relative time modifiers can be used as per the documentation here:

http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch#Syntax_for_relat...

so something like 'earliest=@d-2h' specifies 10PM, for example.

Reply
Solved! Jump to solution

MarioM
Motivator
‎05-17-2011 10:28 AM

can earliest only be time or does it have to include date? because the only way i find myself to search time range across differents dates is to use a search which says :

date_hour > 23 OR date_hour < 11 and then select a date range in the dropdown menu

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...