Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you customize the time span for searches and reports?

mbasharat
Builder
‎10-31-2018 01:04 PM

Hi,

I need to know if Splunk allows searching back a "specified" time instead of using only earliest and latest.

I have data that I want to search from:

Jan 1st, YYYY till March 31st, YYYY

Likewise for the next 3 months and so on for the whole year. I know starttime and endtime are deprecated.

Splunk Enterprise 6.6.6 and +

This is to be done for scheduling a report, so I want to specify the times in the schedule report option.

Thanks in advance.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sir_lamneth
Explorer
‎10-31-2018 01:15 PM

You can manually set time fields in your search like the following:

index=_internal earliest="10/31/2018:12:00:00" latest="10/31/2018:13:00:00"

The confusing thing is the format when hardcoding earliest/latest is %m/%d/%Y:%H:%M:%S

https://docs.splunk.com/Documentation/Splunk/7.2.0/Search/Specifytimemodifiersinyoursearch

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sir_lamneth
Explorer
‎10-31-2018 01:15 PM

You can manually set time fields in your search like the following:

index=_internal earliest="10/31/2018:12:00:00" latest="10/31/2018:13:00:00"

The confusing thing is the format when hardcoding earliest/latest is %m/%d/%Y:%H:%M:%S

https://docs.splunk.com/Documentation/Splunk/7.2.0/Search/Specifytimemodifiersinyoursearch

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎10-31-2018 01:58 PM

Hi sir_lamneth,

This works in the actual search string.

What about the scheduling report area?
1) Report>Edit>Edit Search> Earliest & Latest time
2) Report>Edit>Edit Schedule> Schedule Report>Time Range>Advanced>Earliest & Latest

0 Karma
Reply
Solved! Jump to solution

sir_lamneth
Explorer
‎10-31-2018 02:26 PM

I don't think that you can specify an absolute time via the web GUI for a Report. If you put in an absolute time you probably are seeing an error like this when saving:

Cannot parse time argument 'dispatch.earliest_time': '10/31/2018:12:00:00'

BUT, if you have command-line access to your Splunk instance than you can always manually edit the savedsearches.conf file that your Report is being saved in. You'll want to set the dispatch.earliest_time and dispatch.latest_time values, and make sure the format of your absolute time matches the format defined by dispatch.time_format. More info here:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Savedsearchesconf

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎10-31-2018 03:42 PM

This is exactly the error I am seeing. I think I can live with the first solution you provided because that takes priority over the selection. Thanks again!!! 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...