Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Hardcoded time parameters inside a search doesn't work with v9.4.3

Manjunathmuni
Observer
‎07-25-2025 04:05 AM

Hello Splunkers,

The hardcoded time parameters inside a simple search don't work with v9.4.3.  It only takes the input from the time presets. Do you also experience a similar issue?

index=index earliest="-7d@d" latest="-1m@m" and my preset is last 15 mins, then I get this output. 

earliestTime latestTime

07/25/2025 10:40:01.63607/25/2025 10:52:59.564



Very strange. Nothing mentioned on this in the release notes.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-27-2025 04:35 PM

@Manjunathmuni How are you producing that output for earliestTime and latestTime.

Please share the query that produces that output, because those two times do not show the 15 minute preset range. Please also open the job inspector from a search you have run with those SPL values and then open the job properties at the bottom of that page and look for earliestTime and latestTime and post those.

They will be of the format 2025-07-28T00:31:00.000+01:00, not the same as your output.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-26-2025 02:25 PM

Hi @Manjunathmuni 

Ive tried to replicate this issue but not had any success.

Can I check - do you have any srchFilters, srchTimeEarliest or srchTimeWin set in your authorize.conf for your role? Does this affect users in different roles too?

I would suggest raising this with Splunk supportto get this raised.

In the meantime please confirm the above regarding the role(s).

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-25-2025 02:51 PM

I would check the job inspector (and job log) for the details of the exact search being spawned. Doesn't your users' role have some limits set for search time ranges? And does it also "work" the same way when you chose longer time range from the time picker?

0 Karma
Reply

Manjunathmuni
Observer
‎07-25-2025 06:49 AM

Unfortunately, it's the same with other indexes as well, including _* indexes.
We tried with another user ID, and the issue is still the same.

0 Karma
Reply

Manjunathmuni
Observer
‎07-25-2025 04:12 AM

Search & Reporting app

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-25-2025 04:14 AM

Have you tried other indexes? Or other users?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-25-2025 04:11 AM

Very strange indeed - it works fine for me (same version). Are you trying this in a dashboard or just in the search app?

0 Karma
Reply

Manjunathmuni
Observer
‎07-28-2025 09:08 AM

This issue occurs only with certain apps, such as Search and Reporting, ITSI, and a few other applications. but works seamlessly on certain apps. The screenshots here are taken from the Search & Reporting app.

works with _internal index
Manjunathmuni_1-1753718537324.png

doesn't work with other indexes. 

Manjunathmuni_2-1753718739119.png

In order for it to work, I need to extend the preset time beyond the earliest time passed inside the search. I have not seen this behavior earlier.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-30-2025 05:43 PM

Are you saying if you run that second search in a different app context, the behaviour is different.

Note that your SPL logic to do stats earliest(_time) as min_time will not tell you the actual search range, just the time of the earliest event it found.

Try the SPL 

...
| stats min(_time) as min_time max(_time) as max_time by index
| convert ctime(min_time) ctime(max_time)
| addinfo

The addinfo command will show you the actual search range used by the search irrespective of any events found.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...