The timerange picker works on field _time which is the timestamp of the event/data (it depends upon how you've parsed the timestamp for your data). This Date value in your data, is it not same with _time field? Have a look at this
The data I have indexed has Date and Time fields for when the data was initially created, not when it was put in to Splunk. I'd like to be able to search by that Date and Time instead of the _time field.
I did look over that link earlier but it looks like you can only get as specific as the day. Does that method allow the search to be narrowed to hour/minute like the default time range picker?
Sorry I'm pretty new to Splunk so if I'm missing some basic concept here I apologize.
First, if you've setup your event timestamp (which is _time field) to be extracted from those Date and Time fields, then your timerange would work as you expect. Guessing that's not the case (that's why we're discussing this).
Second, that approach would work on any timerange that you'd select. In that post, they override the _time field value with another date/time field, which was just the date in sample data. If your Date and Time field has more precision, you can filter for more specific time range. Like this (your main search should have a time range large enough to select all data that you need, the subsearches would use default time range picker values) (assuming YourDateField is date field from your data with value in the format YYYY-mm-dd and YourTime field is time field from your data with value in the format HH:MM:SS)
index=foo sourcetype=bar earliest=0 latest=now() | eval _time=strptime(YourDateField." ".YourTimeField,"%Y-%m-%d %H:%M:%S") | where _time>=[| gentimes start=-1 | addinfo | eval search=info_min_time | table search] AND _time<[| gentimes start=-1 | addinfo | eval search=info_max_time | table search]
The addinfo command create field infomintime and infomaxtime which are the earliest and latest value of the timerange applied to it.
I tried following that website's example and I think I'm close, but my search is not displaying all of the events in the specified time range.
The infomintime and infomaxtime are both being calculated correctly and my where statement should also be fine because the _time has been set to the value of the Date field I need. So all of the values are calculated correctly but for some reason my search is leaving out some of the events in the time range.
| eval CA7_DateTime = CA7_Date + " " + CA7_Time
| eval _time=strptime(CA7_DateTime,"%Y-%m-%d %H:%M")
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
| eval CA7_FCOMP=if(CA7_FCOMP="n/a"," ",CA7_FCOMP)
| eval CA7_Abend=if(CA7_Abend="n/a"," ",CA7_Abend)
| table CA7_Number CA7_DateTime CA7_Jobname CA7_Abend CA7_FCOMP CA7_Reason
Searching by All Time displays everything correctly but if I try viewing specific days, events are left out.
You are incorrect. Splunk searches based on the time that the event was stamped and YOU control that. You need to setup your input correctly using
TIME_FORMAT= inside of
props.conf for your
sourcetype. Some silly people do use
DATETIME_CONFIG=CURRENT to make Splunk set the time to the time the event was indexed but this is very uncommon and short-sighted and almost always the wrong approach.