Splunk Search

How to add custom start date and end date in splunk query (without the using splunk default date picker) ?

sajithpm101
New Member

Hi,
I have to pass a custom 'startdate' and 'enddate' in Splunk query in the search tab (without the help of Splunk default date picker which is available in the Splunk app search tab).
Anyone can show me an example with a basic search which will work in Splunk search (page)?

0 Karma
1 Solution

gportnoy
Explorer

If I am understanding your question correctly you looking for "earliest" and "latest" parameters:
index=_internal earliest="06/24/2019:0:0:0" latest="06/24/2019:23:59:59"

View solution in original post

0 Karma

gportnoy
Explorer

If I am understanding your question correctly you looking for "earliest" and "latest" parameters:
index=_internal earliest="06/24/2019:0:0:0" latest="06/24/2019:23:59:59"

0 Karma

sajithpm101
New Member

@gportnoy Thanks for the Answer.

index=_internal earliest="05/26/2019:12:00:00" latest="06/25/2019:12:03:00" | stats count by sourcetype

This is working well. I need to do some customization for using the queries in my custom js file.

0 Karma

gportnoy
Explorer

If I am understanding your question correctly you looking for "earliest" and "latest" parameters:
index=_internal earliest="06/24/2019:0:0:0" latest="06/24/2019:23:59:59"

0 Karma

sajithpm101
New Member

@gportnoy Thanks for your answer.

0 Karma

jnudell_2
Builder

This question does not provide enough information.
Where are you passing the custom 'startdate' and 'enddate'?
What are you searching for?
What's the context of your question in regards to your data?

0 Karma

sajithpm101
New Member

@jnudell_2 Below I have mention more details about my question. Please go through that.

Example query: "index=_internal | stats count by sourcetype"

I want to know is there any way to pass 'startdate' and 'enddate' on the above mentioned Splunk query.
for example 01/05/2019 (startdate) to 04/05/2019 (enddate) in Splunk search tab page.
If that is not possible in this query then please show me how to do that in any other query.

I am using a custom js page for calling Splunk queries. I have mentioned a sample below

var mySearch = new SearchManager({
id: "mysearch",
preview: true,
cache: false,
search: mvc.tokenSafe('index=_internal | stats count by sourcetype')
});

So if you help me how to achieve 'startdate' and 'enddate' in splunk query(manually) I can run that query in js file and check the data is loading or not.

Thanks in Advance.

0 Karma

harshpatel
Contributor

Hi @sajithpm101,

You can provide the earliest and latest time in the SearchManager object itself.
Like:

var searchFunctionalAreas = new SearchManager({
        id: "functional-areas",
        earliest_time: startdate_in_epochs,
        latest_time: enddate_in_epochs,
        preview: true,
        cache: false,
        search: 'your search here...'
});

Tell me if I am missing something.

0 Karma

DavidHourani
Super Champion

Hi @sajithpm101,

You can use the addinfo command to include all the search info to your results :

|makeresults | addinfo

This will add the time you ran the search along with the min and max time you are looking for.

More info on addinfo here :
https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Addinfo

Hope that helps.

Cheers,
David

0 Karma

DavidHourani
Super Champion

@sajithpm101, did you try using addinfo as suggested ?

0 Karma

sajithpm101
New Member

@DavidHourani Thanks for your answer. It was new knowledge for me.

But actually, this is not I want. I would like to clear my question little more deeply.
for example, I have a basic query that I have mentioned below.

example query: 'index=_internal | stats count by sourcetype' .

I want to know how can I apply the startdate and endate for this query (01/05/19 to 04/05/19) in splunk search page. Right now if I write the query in Splunk search page it will run based on the date range which I have given in the Splunk default date picker. Instead of this what is the custom range date i have given in the search bar with a query should give the result.

I think now you can clearly understand my requirement.

Thanks in Advance

0 Karma

DavidHourani
Super Champion

Hi @sajithpm101,

Got it!

So by default when you save a search to a dashboard it will use the current time of the search you created. You can click on edit search on the dashboard and change that if needed.

Another easy way to control this time is to save your search as a report including the time. They reuse that report wherever needed on that time frame.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...