Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search for events in a specific time range

bhiley
Explorer
‎07-19-2011 06:23 PM

I have data eg. as follows :-

rectype=031 OMD_StrtTime_002="Wed Jul 20 02:59:59 2011" OMD_Endtime_003="Wed Jul 20 03:59:57 2011" etc

Splunk correctly extracts the first datetime as the timestamp for the event (and I assume it identifies the second one as a timestamp ?)
I want to search for events where OMD_StrtTime_002 > 'some specified value' and OMD_Endtime_003 < 'some specified value' - what is the syntax for the query ?
Can't seem to find an example on Splunkbase that applies or write one that works.

Tags (2)
0 Karma
Reply

bhiley
Explorer
‎07-19-2011 11:06 PM

Great thanks I'll try it

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎07-19-2011 07:18 PM

Assuming that splunk is already extracting these values as fields (which it should be), the easiest thing to do is convert everything to time_t. These are simple integers, easily compared.

rectype=031
| eval OMD_Strt_t=strptime(OMD_StrtTime_002,"%A %B %d %H:%M:%S %Y")
| eval OMD_End_t=strptime(OMD_Endtime_003,"%A %B %d %H:%M:%S %Y")
| eval target_start=strptime("Wed Jul 20 01:00:00 2011","%A %B %d %H:%M:%S %Y")
| eval target_end=strptime("Wed Jul 20 05:00:00 2011","%A %B %d %H:%M:%S %Y")
| where OMD_Strt_t > target_start AND OMD_End_t < target_end

It's a bit of hoop jumping just to get everything into nice, easy, comparable time_t integers, but it is worth it from a personal sanity point of view.

The problem here is that Splunk parses a timestamp from the event and stores it into _time, and you can limit your timerange to a specific range of _time values using earliest= and latest=. But, it doesn't implicitly see any other timestamp in the event as anything other than a string. You have to do something to parse it into something that is comparable.

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...