Splunk Search

Absolute range in custom times.conf

leune
Path Finder

Is it possible to specify absolute boundaries for the earliest and latest parameters in a custom times.conf? The documentation of times.conf seems to indicate that it cannot be done. In my environment, it is useful to specify a time range "Fall2013Semester" that has absolute boundaries.

The following stanza will return an "invalid value for earliest parameter" error.

[Fall2013]
label = During Fall 2013 semester
header_label = During Fall 2013 semester
earliest_time = 8/23/2013:00:00:00
latest_time = 8/25/2013:00:00:00
order = 10
Tags (1)
0 Karma
1 Solution

sowings
Splunk Employee
Splunk Employee

I was able to do this with the epoch time stamp. I first used the "regular" flashtimeline view to set the endpoints of my search time frame to 9/4/13 00:00:00 and 12/13/13 00:00:00 (your times will be different). I then clicked search. The URL bar of my browser now contained these time values converted to epoch times, looking a bit like this:

... earliest=1378278000&latest=1386921600 ...

I then went into my times.conf and created the following:


[Fall_2013]
label = Fall Semester 2013
earliest_time = 1378278000
latest_time = 1386921600

After a visit to the debug/refresh URL, this item was now on my pulldown menu, and selected the desired times.

View solution in original post

sowings
Splunk Employee
Splunk Employee

I was able to do this with the epoch time stamp. I first used the "regular" flashtimeline view to set the endpoints of my search time frame to 9/4/13 00:00:00 and 12/13/13 00:00:00 (your times will be different). I then clicked search. The URL bar of my browser now contained these time values converted to epoch times, looking a bit like this:

... earliest=1378278000&latest=1386921600 ...

I then went into my times.conf and created the following:


[Fall_2013]
label = Fall Semester 2013
earliest_time = 1378278000
latest_time = 1386921600

After a visit to the debug/refresh URL, this item was now on my pulldown menu, and selected the desired times.

leune
Path Finder

This worked like a charm! Thank you very much for figuring this out!

0 Karma

HiroshiSatoh
Champion

It is relative to the document identifier.

  • The relative time identifier string that represents the earliest event to to return, inclusive.

http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Timesconf

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...