Splunk Search

Absolute range in custom times.conf

leune
Path Finder

Is it possible to specify absolute boundaries for the earliest and latest parameters in a custom times.conf? The documentation of times.conf seems to indicate that it cannot be done. In my environment, it is useful to specify a time range "Fall2013Semester" that has absolute boundaries.

The following stanza will return an "invalid value for earliest parameter" error.

[Fall2013]
label = During Fall 2013 semester
header_label = During Fall 2013 semester
earliest_time = 8/23/2013:00:00:00
latest_time = 8/25/2013:00:00:00
order = 10
Tags (1)
0 Karma
1 Solution

sowings
Splunk Employee
Splunk Employee

I was able to do this with the epoch time stamp. I first used the "regular" flashtimeline view to set the endpoints of my search time frame to 9/4/13 00:00:00 and 12/13/13 00:00:00 (your times will be different). I then clicked search. The URL bar of my browser now contained these time values converted to epoch times, looking a bit like this:

... earliest=1378278000&latest=1386921600 ...

I then went into my times.conf and created the following:


[Fall_2013]
label = Fall Semester 2013
earliest_time = 1378278000
latest_time = 1386921600

After a visit to the debug/refresh URL, this item was now on my pulldown menu, and selected the desired times.

View solution in original post

sowings
Splunk Employee
Splunk Employee

I was able to do this with the epoch time stamp. I first used the "regular" flashtimeline view to set the endpoints of my search time frame to 9/4/13 00:00:00 and 12/13/13 00:00:00 (your times will be different). I then clicked search. The URL bar of my browser now contained these time values converted to epoch times, looking a bit like this:

... earliest=1378278000&latest=1386921600 ...

I then went into my times.conf and created the following:


[Fall_2013]
label = Fall Semester 2013
earliest_time = 1378278000
latest_time = 1386921600

After a visit to the debug/refresh URL, this item was now on my pulldown menu, and selected the desired times.

leune
Path Finder

This worked like a charm! Thank you very much for figuring this out!

0 Karma

HiroshiSatoh
Champion

It is relative to the document identifier.

  • The relative time identifier string that represents the earliest event to to return, inclusive.

http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Timesconf

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...