Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you customize the time span for searches and reports?

mbasharat
Builder
‎10-31-2018 01:04 PM

Hi,

I need to know if Splunk allows searching back a "specified" time instead of using only earliest and latest.

I have data that I want to search from:

Jan 1st, YYYY till March 31st, YYYY

Likewise for the next 3 months and so on for the whole year. I know starttime and endtime are deprecated.

Splunk Enterprise 6.6.6 and +

This is to be done for scheduling a report, so I want to specify the times in the schedule report option.

Thanks in advance.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sir_lamneth
Explorer
‎10-31-2018 01:15 PM

You can manually set time fields in your search like the following:

index=_internal earliest="10/31/2018:12:00:00" latest="10/31/2018:13:00:00"

The confusing thing is the format when hardcoding earliest/latest is %m/%d/%Y:%H:%M:%S

https://docs.splunk.com/Documentation/Splunk/7.2.0/Search/Specifytimemodifiersinyoursearch

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sir_lamneth
Explorer
‎10-31-2018 01:15 PM

You can manually set time fields in your search like the following:

index=_internal earliest="10/31/2018:12:00:00" latest="10/31/2018:13:00:00"

The confusing thing is the format when hardcoding earliest/latest is %m/%d/%Y:%H:%M:%S

https://docs.splunk.com/Documentation/Splunk/7.2.0/Search/Specifytimemodifiersinyoursearch

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎10-31-2018 01:58 PM

Hi sir_lamneth,

This works in the actual search string.

What about the scheduling report area?
1) Report>Edit>Edit Search> Earliest & Latest time
2) Report>Edit>Edit Schedule> Schedule Report>Time Range>Advanced>Earliest & Latest

0 Karma
Reply
Solved! Jump to solution

sir_lamneth
Explorer
‎10-31-2018 02:26 PM

I don't think that you can specify an absolute time via the web GUI for a Report. If you put in an absolute time you probably are seeing an error like this when saving:

Cannot parse time argument 'dispatch.earliest_time': '10/31/2018:12:00:00'

BUT, if you have command-line access to your Splunk instance than you can always manually edit the savedsearches.conf file that your Report is being saved in. You'll want to set the dispatch.earliest_time and dispatch.latest_time values, and make sure the format of your absolute time matches the format defined by dispatch.time_format. More info here:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Savedsearchesconf

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎10-31-2018 03:42 PM

This is exactly the error I am seeing. I think I can live with the first solution you provided because that takes priority over the selection. Thanks again!!! 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top