Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Invalid value X for time term 'earliest', but only for specific dates

LS2022
Explorer
‎12-21-2022 03:45 AM

Hello Splunk Community,

I'm running a script using the splunk CLI to retrieve the required information. The script has previously been run multiple times without issue.
I am now receiving the following error, but only for specific dates.
FATAL: Invalid value "14/10/2022:2:0:00" for time term 'earliest'

I can reproduce the problem in the graphical interface but if I change the date to '12/10/2022' the query is successful. Likewise, seaching for all logs for the date through the GUI returns the logs for the day. The script has already turned over the first 12 days of the month without error so the syntax is good, and the logs are indexed.

Anyone have any ideas why I am receiving this error only for specific dates within the month?

PS:
Can also reproduce in a different month with the same dates. 12 returns results, 13 returns an error.

Kind regards,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-21-2022 03:59 AM

Hi @LS2022,

you have a wrong time format in your data or in your script: you're using european format (dd/mm/yyyy) instead Splunk, by default uses the american format (mm/dd/yyyy)

so if the date is 12/10/2022 it reads 10th of december 2022, but 14/10/2022 isn't acceptable because months are 12.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-21-2022 03:59 AM

Hi @LS2022,

you have a wrong time format in your data or in your script: you're using european format (dd/mm/yyyy) instead Splunk, by default uses the american format (mm/dd/yyyy)

so if the date is 12/10/2022 it reads 10th of december 2022, but 14/10/2022 isn't acceptable because months are 12.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

LS2022
Explorer
‎12-21-2022 04:02 AM

Hello,

Thanks for your reply.

Is this a recent change?

As mentioned, the script previously ran fine. To clarify I am running the script for October and have previously done so without issue, with the range of dates being provided as 01/10/2022 to 30/10/2022.

Kind regards,

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-21-2022 05:23 AM

Hi @LS2022,

no it always was in this way: it's a standard approach in american products, maybe it's changed something in your time definition.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

LS2022
Explorer
‎12-21-2022 04:19 AM

Am thinking that as the scdript was run out of hours it processed for the valid dates.
Which would mean we are missing half of every month in previous results.

Gah!

Will go fiddle with the date format and double check the results. Thank for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...