Splunk Search

Hardcoded time parameters inside a search doesn't work with v9.4.3

Manjunathmuni
Observer

Hello Splunkers,

The hardcoded time parameters inside a simple search don't work with v9.4.3.  It only takes the input from the time presets. Do you also experience a similar issue?

index=index earliest="-7d@d" latest="-1m@m" and my preset is last 15 mins, then I get this output. 

earliestTime latestTime

07/25/2025 10:40:01.63607/25/2025 10:52:59.564



Very strange. Nothing mentioned on this in the release notes.

Labels (1)
Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

@Manjunathmuni How are you producing that output for earliestTime and latestTime.

Please share the query that produces that output, because those two times do not show the 15 minute preset range. Please also open the job inspector from a search you have run with those SPL values and then open the job properties at the bottom of that page and look for earliestTime and latestTime and post those.

They will be of the format 2025-07-28T00:31:00.000+01:00, not the same as your output.

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @Manjunathmuni 

Ive tried to replicate this issue but not had any success.

Can I check - do you have any srchFilters, srchTimeEarliest or srchTimeWin set in your authorize.conf for your role? Does this affect users in different roles too?

I would suggest raising this with Splunk supportto get this raised.

In the meantime please confirm the above regarding the role(s).

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I would check the job inspector (and job log) for the details of the exact search being spawned. Doesn't your users' role have some limits set for search time ranges? And does it also "work" the same way when you chose longer time range from the time picker?

0 Karma

Manjunathmuni
Observer

Unfortunately, it's the same with other indexes as well, including _* indexes.
We tried with another user ID, and the issue is still the same.

0 Karma

Manjunathmuni
Observer

Search & Reporting app

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried other indexes? Or other users?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Very strange indeed - it works fine for me (same version). Are you trying this in a dashboard or just in the search app?

0 Karma

Manjunathmuni
Observer

This issue occurs only with certain apps, such as Search and Reporting, ITSI, and a few other applications. but works seamlessly on certain apps. The screenshots here are taken from the Search & Reporting app.

works with _internal index
Manjunathmuni_1-1753718537324.png

doesn't work with other indexes. 

Manjunathmuni_2-1753718739119.png

In order for it to work, I need to extend the preset time beyond the earliest time passed inside the search. I have not seen this behavior earlier.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Are you saying if you run that second search in a different app context, the behaviour is different.

Note that your SPL logic to do stats earliest(_time) as min_time will not tell you the actual search range, just the time of the earliest event it found.

Try the SPL 

...
| stats min(_time) as min_time max(_time) as max_time by index
| convert ctime(min_time) ctime(max_time)
| addinfo

The addinfo command will show you the actual search range used by the search irrespective of any events found.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...