_time=time1, _raw=some contents
_time=time2, _raw=some contents
_time=time3, _raw=some contents
_time=time4, _raw=some contents
__time=time5, _raw=some contents
Now I want to extract the data between time2 and time3 using of _time filed , can anyone help with this?
How to extract the data depends on the format of the data in _raw. You could use the extract, spath, xpath, or rex commands to do the work, depending on the nature of the data and what you wish to extract. You also could use settings in the props.conf file to extract fields automatically.
Please tell us more about the use case so we can be more specific.
My use case here is to extract data from last successful run based on the filed _time in the splunk logs
Writing the same thing over and over again doesn't explain what you want to do. Give us example of your (anonymized) data, what you want as a result and what is the relation between source events and result.
Here I'm trying to extract the some data from the _raw content,
ex : for now data in splunk: here the success run time will be _time2
_time=time2 , _raw=akjfkajdf4jlfadjf5453
_time=time1 , _raw=akjfkajdf6jlfadjf5457,
So, when i again hit the splunk the data available in splunk like below
_time=time3 , _raw=akjfkajdf4jlfadjf5453
_time=time4 , _raw=akjfkajdf6jlfadjf5457,
_time=time2 , _raw=akjfkajdf4jlfadjf5454
_time=time1 , _raw=akjfkajdf6jlfadjf5455,
so , using splunk api i need to get the data from last successful run to till now
so my results should contain from time2 to now
_time=time3 , _raw=akjfkajdf4jlfadjf5453
_time=time4 , _raw=akjfkajdf6jlfadjf5457,
hope this will clarify, lemme know
Need to integrate this logic in the spluk search query.
I don't understand how you define success.
Is it that you run some external tool using API to run a search on splunk and want to return only the events that were ingested since last successful run of your tool?
If so, you simply use "earliest=something latest=something" conditions. You can specify the "somethings" as unix timestamps (number of seconds since epoch) for simplicity.