- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you customize the time span for searche...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I need to know if Splunk allows searching back a "specified" time instead of using only earliest and latest.
I have data that I want to search from:
Jan 1st, YYYY till March 31st, YYYY
Likewise for the next 3 months and so on for the whole year. I know starttime and endtime are deprecated.
Splunk Enterprise 6.6.6 and +
This is to be done for scheduling a report, so I want to specify the times in the schedule report option.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can manually set time fields in your search like the following:
index=_internal earliest="10/31/2018:12:00:00" latest="10/31/2018:13:00:00"
The confusing thing is the format when hardcoding earliest/latest is %m/%d/%Y:%H:%M:%S
https://docs.splunk.com/Documentation/Splunk/7.2.0/Search/Specifytimemodifiersinyoursearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can manually set time fields in your search like the following:
index=_internal earliest="10/31/2018:12:00:00" latest="10/31/2018:13:00:00"
The confusing thing is the format when hardcoding earliest/latest is %m/%d/%Y:%H:%M:%S
https://docs.splunk.com/Documentation/Splunk/7.2.0/Search/Specifytimemodifiersinyoursearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi sir_lamneth,
This works in the actual search string.
What about the scheduling report area?
1) Report>Edit>Edit Search> Earliest & Latest time
2) Report>Edit>Edit Schedule> Schedule Report>Time Range>Advanced>Earliest & Latest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think that you can specify an absolute time via the web GUI for a Report. If you put in an absolute time you probably are seeing an error like this when saving:
Cannot parse time argument 'dispatch.earliest_time': '10/31/2018:12:00:00'
BUT, if you have command-line access to your Splunk instance than you can always manually edit the savedsearches.conf file that your Report is being saved in. You'll want to set the dispatch.earliest_time and dispatch.latest_time values, and make sure the format of your absolute time matches the format defined by dispatch.time_format. More info here:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Savedsearchesconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is exactly the error I am seeing. I think I can live with the first solution you provided because that takes priority over the selection. Thanks again!!! 😉
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
