Solved: Query time modifier

1234testtest · ‎03-11-2013

I have a saved search and I would like to limit the output to a specific timeframe- but unfortunately I am getting complete results and not the time range alone I want. | savedsearch test earliest=1355052259 latest=1355055859

(I am using sdk Splunk Java and I'm unable to get desired results either from sdk splunk java or from splunk web UI). Kindly help.

martin_mueller · ‎03-11-2013

Your search does not have placeholders $earliest$ and $latest$, so doing

| savedsearch test earliest=1355052259 latest=1355055859

makes no variable substitutions for earliest and latest happen.

View solution in original post

martin_mueller · ‎03-11-2013

Your search does not have placeholders $earliest$ and $latest$, so doing

| savedsearch test earliest=1355052259 latest=1355055859

makes no variable substitutions for earliest and latest happen.

1234testtest · ‎03-13-2013

Thank you.

1234testtest · ‎03-11-2013

index="ia" sourcetype="test1" OR sourcetype="test2" | transaction fields="myfield" startswith="started" endswith="ended" | search index=ia duration>5 |convert ctime(_time) as Time | sort by Time

duration is an extracted field

martin_mueller · ‎03-11-2013

What's your search?

Query time modifier

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?