Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Entering earliest and latest time for backfill summary search. What is the format?

the_wolverine
Champion
‎03-13-2012 11:18 AM

I'm having trouble figuring out the proper syntax for specifying an exact date/time for my summary backfill search. For example I have a start date of February 2, 2012 5am. I've tried the following without success:

2012-02-02 05:00:00
02/02/2012 05:00:00
02-02-2012T05:00:00

Reply
1 Solution
Solved! Jump to solution
Solution

skawasaki_splun
Splunk Employee
Splunk Employee
‎05-03-2018 06:34 AM

It turns out you have to use epoch time. I found this out when I actually opened the fill_summary_index.py script and saw

Usage: splunk cmd python fill_summary_index.py [OPTIONS]

***Note: <boolean> options accept the values "1", "t", "true", or "yes" for true
                                        and "0", "f", "false", or "no" for false

-et <string>            Earliest time (required).  Either a UTC time (integer since unix epoch)
                                        or a Splunk search relative time string [1].

-lt <string>            Latest time (required).  Either a UTC time (integer since unix epoch)
                                        or a Splunk search relative time string [1].

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skawasaki_splun
Splunk Employee
Splunk Employee
‎05-03-2018 06:34 AM

It turns out you have to use epoch time. I found this out when I actually opened the fill_summary_index.py script and saw

Usage: splunk cmd python fill_summary_index.py [OPTIONS]

***Note: <boolean> options accept the values "1", "t", "true", or "yes" for true
                                        and "0", "f", "false", or "no" for false

-et <string>            Earliest time (required).  Either a UTC time (integer since unix epoch)
                                        or a Splunk search relative time string [1].

-lt <string>            Latest time (required).  Either a UTC time (integer since unix epoch)
                                        or a Splunk search relative time string [1].
0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-13-2012 02:52 PM

I use epoch time format, though other formats should also work.

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎03-13-2012 01:06 PM

Usually the summary search is scheduled and this format should work:

%m/%d/%Y:%H:%M:%S

For example, this should search all os data between the 10th and 11th of March:

index=os earliest=03/10/2012:0:0:0 latest=03/11/2012:0:0:0

Detailing where you set this (at the scheduler wizard?) would help.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎03-13-2012 11:20 AM

http://docs.splunk.com/Documentation/Splunk/latest/User/ChangeTheTimeRangeOfYourSearch#Syntax_for_re...

This document was referenced in the summary script's help section but it didn't answer my question. I still don't have a working example.

The example provided on that page does not work:
earliest_time=10/19/2009:0:0:0

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...