Splunk Search

How do you customize the time span for searches and reports?

mbasharat
Builder

Hi,

I need to know if Splunk allows searching back a "specified" time instead of using only earliest and latest.

I have data that I want to search from:

Jan 1st, YYYY till March 31st, YYYY

Likewise for the next 3 months and so on for the whole year. I know starttime and endtime are deprecated.

Splunk Enterprise 6.6.6 and +

This is to be done for scheduling a report, so I want to specify the times in the schedule report option.

Thanks in advance.

Tags (1)
0 Karma
1 Solution

sir_lamneth
Explorer

You can manually set time fields in your search like the following:

index=_internal earliest="10/31/2018:12:00:00" latest="10/31/2018:13:00:00"

The confusing thing is the format when hardcoding earliest/latest is %m/%d/%Y:%H:%M:%S

https://docs.splunk.com/Documentation/Splunk/7.2.0/Search/Specifytimemodifiersinyoursearch

View solution in original post

0 Karma

sir_lamneth
Explorer

You can manually set time fields in your search like the following:

index=_internal earliest="10/31/2018:12:00:00" latest="10/31/2018:13:00:00"

The confusing thing is the format when hardcoding earliest/latest is %m/%d/%Y:%H:%M:%S

https://docs.splunk.com/Documentation/Splunk/7.2.0/Search/Specifytimemodifiersinyoursearch

0 Karma

mbasharat
Builder

Hi sir_lamneth,

This works in the actual search string.

What about the scheduling report area?
1) Report>Edit>Edit Search> Earliest & Latest time
2) Report>Edit>Edit Schedule> Schedule Report>Time Range>Advanced>Earliest & Latest

0 Karma

sir_lamneth
Explorer

I don't think that you can specify an absolute time via the web GUI for a Report. If you put in an absolute time you probably are seeing an error like this when saving:

Cannot parse time argument 'dispatch.earliest_time': '10/31/2018:12:00:00'

BUT, if you have command-line access to your Splunk instance than you can always manually edit the savedsearches.conf file that your Report is being saved in. You'll want to set the dispatch.earliest_time and dispatch.latest_time values, and make sure the format of your absolute time matches the format defined by dispatch.time_format. More info here:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Savedsearchesconf

0 Karma

mbasharat
Builder

This is exactly the error I am seeing. I think I can live with the first solution you provided because that takes priority over the selection. Thanks again!!! 😉

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...