- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to specify absolute boundaries for the earliest and latest parameters in a custom times.conf? The documentation of times.conf seems to indicate that it cannot be done. In my environment, it is useful to specify a time range "Fall2013Semester" that has absolute boundaries.
The following stanza will return an "invalid value for earliest parameter" error.
[Fall2013]
label = During Fall 2013 semester
header_label = During Fall 2013 semester
earliest_time = 8/23/2013:00:00:00
latest_time = 8/25/2013:00:00:00
order = 10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
I was able to do this with the epoch time stamp. I first used the "regular" flashtimeline view to set the endpoints of my search time frame to 9/4/13 00:00:00 and 12/13/13 00:00:00 (your times will be different). I then clicked search. The URL bar of my browser now contained these time values converted to epoch times, looking a bit like this:
... earliest=1378278000&latest=1386921600 ...
I then went into my times.conf and created the following:
[Fall_2013]
label = Fall Semester 2013
earliest_time = 1378278000
latest_time = 1386921600
After a visit to the debug/refresh URL, this item was now on my pulldown menu, and selected the desired times.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
I was able to do this with the epoch time stamp. I first used the "regular" flashtimeline view to set the endpoints of my search time frame to 9/4/13 00:00:00 and 12/13/13 00:00:00 (your times will be different). I then clicked search. The URL bar of my browser now contained these time values converted to epoch times, looking a bit like this:
... earliest=1378278000&latest=1386921600 ...
I then went into my times.conf and created the following:
[Fall_2013]
label = Fall Semester 2013
earliest_time = 1378278000
latest_time = 1386921600
After a visit to the debug/refresh URL, this item was now on my pulldown menu, and selected the desired times.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked like a charm! Thank you very much for figuring this out!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/79c01/79c0144ba72d668feb51849f1e99c78f42433b1b" alt="HiroshiSatoh HiroshiSatoh"
It is relative to the document identifier.
- The relative time identifier string that represents the earliest event to to return, inclusive.
http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Timesconf
data:image/s3,"s3://crabby-images/2f34b/2f34b8387157c32fbd6848ab5b6e4c62160b6f87" alt=""