Splunk Search

How to add custom start date and end date in splunk query (without the using splunk default date picker) ?

New Member

Hi,
I have to pass a custom 'startdate' and 'enddate' in Splunk query in the search tab (without the help of Splunk default date picker which is available in the Splunk app search tab).
Anyone can show me an example with a basic search which will work in Splunk search (page)?

0 Karma
1 Solution

Explorer

If I am understanding your question correctly you looking for "earliest" and "latest" parameters:
index=_internal earliest="06/24/2019:0:0:0" latest="06/24/2019:23:59:59"

View solution in original post

0 Karma

Explorer

If I am understanding your question correctly you looking for "earliest" and "latest" parameters:
index=_internal earliest="06/24/2019:0:0:0" latest="06/24/2019:23:59:59"

View solution in original post

0 Karma

New Member

@gportnoy Thanks for the Answer.

index=_internal earliest="05/26/2019:12:00:00" latest="06/25/2019:12:03:00" | stats count by sourcetype

This is working well. I need to do some customization for using the queries in my custom js file.

0 Karma

Explorer

If I am understanding your question correctly you looking for "earliest" and "latest" parameters:
index=_internal earliest="06/24/2019:0:0:0" latest="06/24/2019:23:59:59"

0 Karma

New Member

@gportnoy Thanks for your answer.

0 Karma

Builder

This question does not provide enough information.
Where are you passing the custom 'startdate' and 'enddate'?
What are you searching for?
What's the context of your question in regards to your data?

0 Karma

New Member

@jnudell_2 Below I have mention more details about my question. Please go through that.

Example query: "index=_internal | stats count by sourcetype"

I want to know is there any way to pass 'startdate' and 'enddate' on the above mentioned Splunk query.
for example 01/05/2019 (startdate) to 04/05/2019 (enddate) in Splunk search tab page.
If that is not possible in this query then please show me how to do that in any other query.

I am using a custom js page for calling Splunk queries. I have mentioned a sample below

var mySearch = new SearchManager({
id: "mysearch",
preview: true,
cache: false,
search: mvc.tokenSafe('index=_internal | stats count by sourcetype')
});

So if you help me how to achieve 'startdate' and 'enddate' in splunk query(manually) I can run that query in js file and check the data is loading or not.

Thanks in Advance.

0 Karma

Contributor

Hi @sajithpm101,

You can provide the earliest and latest time in the SearchManager object itself.
Like:

var searchFunctionalAreas = new SearchManager({
        id: "functional-areas",
        earliest_time: startdate_in_epochs,
        latest_time: enddate_in_epochs,
        preview: true,
        cache: false,
        search: 'your search here...'
});

Tell me if I am missing something.

0 Karma

Super Champion

Hi @sajithpm101,

You can use the addinfo command to include all the search info to your results :

|makeresults | addinfo

This will add the time you ran the search along with the min and max time you are looking for.

More info on addinfo here :
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Addinfo

Hope that helps.

Cheers,
David

0 Karma

Super Champion

@sajithpm101, did you try using addinfo as suggested ?

0 Karma

New Member

@DavidHourani Thanks for your answer. It was new knowledge for me.

But actually, this is not I want. I would like to clear my question little more deeply.
for example, I have a basic query that I have mentioned below.

example query: 'index=_internal | stats count by sourcetype' .

I want to know how can I apply the startdate and endate for this query (01/05/19 to 04/05/19) in splunk search page. Right now if I write the query in Splunk search page it will run based on the date range which I have given in the Splunk default date picker. Instead of this what is the custom range date i have given in the search bar with a query should give the result.

I think now you can clearly understand my requirement.

Thanks in Advance

0 Karma

Super Champion

Hi @sajithpm101,

Got it!

So by default when you save a search to a dashboard it will use the current time of the search you created. You can click on edit search on the dashboard and change that if needed.

Another easy way to control this time is to save your search as a report including the time. They reuse that report wherever needed on that time frame.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!