Solved: Re: earliest / latest not working with simple curl...

polentaelettric · ‎05-31-2013

Hi,

the request below returns data from today while I specifically set it to return data from 27th of May to the 29th:

curl -k -u user:pass https://localhost:8089/servicesNS/admin/search/search/jobs/export  --data-urlencode search="search * | head 3" -d output_mode=json -d earliest="05/27/2013:0:0:0" -d latest="05/29/2013:0:0:0"

For example the first record returned is:

{"preview":false,"offset":0,"result":{"_bkt":"main~8~642E60C4-F8A3-448A-89E0-95E274AD3C3F","_cd":"8:54469","_indextime":"1370003005","_raw":"May 31 13:23:23 etc...","_serial":"0","_si":["localhost","main"],"_sourcetype":"syslog","_time":"2013-05-31 13:23:23.000 BST","host":"localhost","index":"main","linecount":"1","source":"/var/log/system.log","sourcetype":"syslog","splunk_server":"localhost"}}

Time is: 2013-05-31 13:23:23.000 which is obviously outside the range I specified. I'm probably missing something obvious... what am I doing wrong ?

EDIT:

I'm trying now with a simple python script, again, I can't seem to return the results in the date range I specify. I tried various different ranges (rt-3d, rt-5d, full date, etc...) but nothing works.

request = urllib2.Request("https://localhost:8089/servicesNS/admin/search/search/jobs/export" 
        data = urllib.urlencode({'search': 'search memorystatus | head 3',\
            'output_mode': 'json',\
            'latest':"1369522800",\
            'earliest':"1369436400"}),
    headers = { 'Authorization': ('Splunk %s' %session_key)})
search_results = urllib2.urlopen(request)
print "Full url is: " + request.get_full_url()
print "Data is: " + request.get_data()  
print search_results.read()

The url and data (query) printed in output are:

Full url is: https://localhost:8089/servicesNS/admin/search/search/jobs/export
Data is: search=search+memorystatus+%7C+head+3&earliest=1369436400&output_mode=json&latest=1369522800

I'm new to Splunk and I can't really figure out what's wrong, this is driving me crazy...

Thanks.

barakreeves · ‎05-31-2013

Have you tried placing the time range in the search like so:
curl -k -u user:pass https://localhost:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search * earliest=05/27/2013:0:0:0 latest=05/29/2013:0:0:0 | head 5" -d output_mode=json

View solution in original post

barakreeves · ‎05-31-2013

Have you tried placing the time range in the search like so:
curl -k -u user:pass https://localhost:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search * earliest=05/27/2013:0:0:0 latest=05/29/2013:0:0:0 | head 5" -d output_mode=json

cramasta · ‎03-02-2015

Have you tried these?
-d earliest_time="-10m@m" -d latest_time="-5m@m"

barakreeves · ‎05-31-2013

Glad it worked. I will see if I can get that doc example updated. One of the great things about Splunk documentation is that they are living documents, constantly being updated.

polentaelettric · ‎05-31-2013

that's it ! thank you very much, I didn't know that syntax was possible. They should update the documentation though because the examples are wrong. E.g. in http://docs.splunk.com/Documentation/Splunk/5.0.3/RESTAPI/RESTsearch#search.2Fjobs.2Fexport the curl snippet uses -d earliest="rt-5m" -d latest="rt" which is not working.

earliest / latest not working with simple curl/Python query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation