Hi,
I am new to splunk and i have a minor problem.
When i created a report at the start time(dispatch.earliest_time) i would like to use an absolute time(like a date and time) but i don't know the correct format.
This is the format in the documentation but it is not working: 10/19/2009:0:0:0 I got this error: Encountered the following error while trying to update: In handler 'savedsearch': Cannot parse time argument 'dispatch.earliest_time': '2012-06-20T16:27:43.000-07:00'
Can someone point me to the correct format?
Thanks, laszlo
I got on this problem now.
The last version of Splunk still does not provide an easy way to do this.
You can specify the absolute time in the "unix seconds" format. You can use a convertion tool as said before ou create a report from search web, specify the times you want and then use it on you own report or modify the saved one to you needs...
Use the epoch time to provide absolute time e.g. epoch equivalent for StartTime and FinishTime values from Splunk Web UI (use http://www.epochconverter.com/ or similar sites to get that.)
I dont have access to the cli.
So i think then this is it...no absolute time in web.
thanks,
laszlo
I dont think that you can specify absolute time in Web. If you see the time specifiers below the text box, they are all relative. The link learn more also points to relative time.
/en-US/help?location=learnmore.manager.relativetime
Dont you have option to edit the savedsearches.conf?
I cannot upload a picture here in the forum.
I uploded one here:
https://drive.google.com/file/d/0B-UcVhaZZeNudGRPTkxfLTNzODg/edit?usp=sharing
Please take a look.
So i am just using the web interface to create this report and never used format. dispatch.time_format
thanks
laszlo
If you use absolute time then you should also specify the format. dispatch.time_format to format the value
Have you used dispatch.time_format.
Can you post the configurations here