Splunk Search

Can't get results using _time in my search

Communicator

I performed this search

index=* source="WinEventLog:System" EventCode=3 host=jj1 | table host, _time, message

and get the following results:

jj1 2016-05-02 18:27:04 Service started.
jj1 2016-05-02 18:23:55 VMCI: Using capabilities (0xc).

I want to narrow this down with the following search

index=* source="WinEventLog:System" EventCode=3 host=jj1 _time>="2016-05-02 18:27:04" |table host, _time, Message

I receive no results. Please advise on how to make this work.

Many thanks.

0 Karma
1 Solution

Esteemed Legend

Check out the fieldformat command. Splunk automatically calls this inside every search so that, even though _time is actually a time_t and an integer, it is displayed to the user in his location-adjusted preference (in most cases, en_us). So your search should be:

index=* source="WinEventLog:System" EventCode=3 host=jj1 _time>= [|noop|stats count AS myTime | eval myTime = "2016-05-02 18:27:04" | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(myTime) | return $myTime] |table host _time Message

View solution in original post

0 Karma

Esteemed Legend

Check out the fieldformat command. Splunk automatically calls this inside every search so that, even though _time is actually a time_t and an integer, it is displayed to the user in his location-adjusted preference (in most cases, en_us). So your search should be:

index=* source="WinEventLog:System" EventCode=3 host=jj1 _time>= [|noop|stats count AS myTime | eval myTime = "2016-05-02 18:27:04" | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(myTime) | return $myTime] |table host _time Message

View solution in original post

0 Karma

Communicator

THANK YOU!!!!!

0 Karma

Legend

_time is always in epoch time. Here is some information how you can use time modifiers to filter you data by time.

http://docs.splunk.com/Documentation/Splunk/6.0.6/SearchReference/SearchTimeModifiers

0 Karma