Splunk Search

Can I pass an indexed Date value to the time picker?

calarie001
Explorer

As far as I know the time picker searches based on the time that the data was indexed in Splunk. I need to search based on the Date values in the events in the dataset. Is this possible?

0 Karma

woodcock
Esteemed Legend

You are incorrect. Splunk searches based on the time that the event was stamped and YOU control that. You need to setup your input correctly using TIME_PREFIX=, MAX_TIMESTAMP_LOOKAHEAD=, and TIME_FORMAT= inside of props.conf for your source or sourcetype. Some silly people do use DATETIME_CONFIG=CURRENT to make Splunk set the time to the time the event was indexed but this is very uncommon and short-sighted and almost always the wrong approach.

somesoni2
SplunkTrust
SplunkTrust

The timerange picker works on field _time which is the timestamp of the event/data (it depends upon how you've parsed the timestamp for your data). This Date value in your data, is it not same with _time field? Have a look at this

https://www.splunk.com/blog/2016/09/16/i-cant-make-my-time-range-picker-pick.html

calarie001
Explorer

The data I have indexed has Date and Time fields for when the data was initially created, not when it was put in to Splunk. I'd like to be able to search by that Date and Time instead of the _time field.

I did look over that link earlier but it looks like you can only get as specific as the day. Does that method allow the search to be narrowed to hour/minute like the default time range picker?

Sorry I'm pretty new to Splunk so if I'm missing some basic concept here I apologize.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

First, if you've setup your event timestamp (which is _time field) to be extracted from those Date and Time fields, then your timerange would work as you expect. Guessing that's not the case (that's why we're discussing this).

Second, that approach would work on any timerange that you'd select. In that post, they override the _time field value with another date/time field, which was just the date in sample data. If your Date and Time field has more precision, you can filter for more specific time range. Like this (your main search should have a time range large enough to select all data that you need, the subsearches would use default time range picker values) (assuming YourDateField is date field from your data with value in the format YYYY-mm-dd and YourTime field is time field from your data with value in the format HH:MM:SS)

index=foo sourcetype=bar earliest=0 latest=now()
| eval _time=strptime(YourDateField." ".YourTimeField,"%Y-%m-%d %H:%M:%S")
| where _time>=[| gentimes start=-1 | addinfo | eval search=info_min_time | table search] AND _time<[| gentimes start=-1 | addinfo | eval search=info_max_time | table search]

The addinfo command create field info_min_time and info_max_time which are the earliest and latest value of the timerange applied to it.

calarie001
Explorer

I tried following that website's example and I think I'm close, but my search is not displaying all of the events in the specified time range.

The info_min_time and info_max_time are both being calculated correctly and my where statement should also be fine because the _time has been set to the value of the Date field I need. So all of the values are calculated correctly but for some reason my search is leaving out some of the events in the time range.

base search
| eval CA7_DateTime = CA7_Date + " " + CA7_Time
| eval _time=strptime(CA7_DateTime,"%Y-%m-%d %H:%M")
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
| eval CA7_FCOMP=if(CA7_FCOMP="n/a"," ",CA7_FCOMP)
| eval CA7_Abend=if(CA7_Abend="n/a"," ",CA7_Abend)
| table CA7_Number CA7_DateTime CA7_Jobname CA7_Abend CA7_FCOMP CA7_Reason

Searching by All Time displays everything correctly but if I try viewing specific days, events are left out.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...