Re: How to write a search for a specific timestamp...

Mubarish · ‎08-19-2014

Hi,
I have my search query which returns a table. In the table, Timestamp is one of my field. Format of the Timestamp field is YYYY/MM/DD HH:MM:SS (i.e) Date(Space)Time
For example
2014/07/10 03:17:44
2014/07/10 03:17:14 etc.
I want to search Timestamp suppose
for example basequery... | search Timestamp = 2014/07/10 03:17:44 , the record with that particular date&time has to display. Since there is a space between date and time, my search shows no result found. How can I search for a specific timestamp?

somesoni2 · ‎08-19-2014

Your logs in Splunk should have _time field in epoch format. You can convert your token value to epoch and compare against _time value.

your base search _time=[|gentimes start=-1 | eval search=strptime("YourDateValue","%Y/%m/%d %H:%M:%S" | table search]

MuS · ‎08-19-2014

Hi Mubarish,

simply use double quotes around the value like in this run everywhere search command (you must be able to search index=_internal) :

 index=_internal "[19/Aug/2014:15* +0200]"

This will show all event from today (as it is the 19th of August 2014) 3pm

hope this helps ...

cheers, MuS

pradeepkumarg · ‎08-19-2014

Did you try this?

basequery| search Timestamp = "2014/07/10 03:17:44"

How to write a search for a specific timestamp?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms