Splunk Search

How do you customize the time span for searches and reports?

mbasharat
Builder

Hi,

I need to know if Splunk allows searching back a "specified" time instead of using only earliest and latest.

I have data that I want to search from:

Jan 1st, YYYY till March 31st, YYYY

Likewise for the next 3 months and so on for the whole year. I know starttime and endtime are deprecated.

Splunk Enterprise 6.6.6 and +

This is to be done for scheduling a report, so I want to specify the times in the schedule report option.

Thanks in advance.

Tags (1)
0 Karma
1 Solution

sir_lamneth
Explorer

You can manually set time fields in your search like the following:

index=_internal earliest="10/31/2018:12:00:00" latest="10/31/2018:13:00:00"

The confusing thing is the format when hardcoding earliest/latest is %m/%d/%Y:%H:%M:%S

https://docs.splunk.com/Documentation/Splunk/7.2.0/Search/Specifytimemodifiersinyoursearch

View solution in original post

0 Karma

sir_lamneth
Explorer

You can manually set time fields in your search like the following:

index=_internal earliest="10/31/2018:12:00:00" latest="10/31/2018:13:00:00"

The confusing thing is the format when hardcoding earliest/latest is %m/%d/%Y:%H:%M:%S

https://docs.splunk.com/Documentation/Splunk/7.2.0/Search/Specifytimemodifiersinyoursearch

0 Karma

mbasharat
Builder

Hi sir_lamneth,

This works in the actual search string.

What about the scheduling report area?
1) Report>Edit>Edit Search> Earliest & Latest time
2) Report>Edit>Edit Schedule> Schedule Report>Time Range>Advanced>Earliest & Latest

0 Karma

sir_lamneth
Explorer

I don't think that you can specify an absolute time via the web GUI for a Report. If you put in an absolute time you probably are seeing an error like this when saving:

Cannot parse time argument 'dispatch.earliest_time': '10/31/2018:12:00:00'

BUT, if you have command-line access to your Splunk instance than you can always manually edit the savedsearches.conf file that your Report is being saved in. You'll want to set the dispatch.earliest_time and dispatch.latest_time values, and make sure the format of your absolute time matches the format defined by dispatch.time_format. More info here:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Savedsearchesconf

0 Karma

mbasharat
Builder

This is exactly the error I am seeing. I think I can live with the first solution you provided because that takes priority over the selection. Thanks again!!! 😉

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...