Splunk Search

Query time modifier

1234testtest
Path Finder

I have a saved search and I would like to limit the output to a specific timeframe- but unfortunately I am getting complete results and not the time range alone I want. | savedsearch test earliest=1355052259 latest=1355055859

(I am using sdk Splunk Java and I'm unable to get desired results either from sdk splunk java or from splunk web UI). Kindly help.

Tags (2)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Your search does not have placeholders $earliest$ and $latest$, so doing

| savedsearch test earliest=1355052259 latest=1355055859

makes no variable substitutions for earliest and latest happen.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Your search does not have placeholders $earliest$ and $latest$, so doing

| savedsearch test earliest=1355052259 latest=1355055859

makes no variable substitutions for earliest and latest happen.

1234testtest
Path Finder

Thank you.

0 Karma

1234testtest
Path Finder

index="ia" sourcetype="test1" OR sourcetype="test2" | transaction fields="myfield" startswith="started" endswith="ended" | search index=ia duration>5 |convert ctime(_time) as Time | sort by Time

duration is an extracted field

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

What's your search?

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...