I have data eg. as follows :-
rectype=031 OMDStrtTime002="Wed Jul 20 02:59:59 2011" OMDEndtime003="Wed Jul 20 03:59:57 2011" etc
Splunk correctly extracts the first datetime as the timestamp for the event (and I assume it identifies the second one as a timestamp ?)
I want to search for events where OMDStrtTime002 > 'some specified value' and OMDEndtime003 < 'some specified value' - what is the syntax for the query ?
Can't seem to find an example on Splunkbase that applies or write one that works.
Assuming that splunk is already extracting these values as fields (which it should be), the easiest thing to do is convert everything to time_t. These are simple integers, easily compared.
rectype=031 | eval OMD_Strt_t=strptime(OMD_StrtTime_002,"%A %B %d %H:%M:%S %Y") | eval OMD_End_t=strptime(OMD_Endtime_003,"%A %B %d %H:%M:%S %Y") | eval target_start=strptime("Wed Jul 20 01:00:00 2011","%A %B %d %H:%M:%S %Y") | eval target_end=strptime("Wed Jul 20 05:00:00 2011","%A %B %d %H:%M:%S %Y") | where OMD_Strt_t > target_start AND OMD_End_t < target_end
It's a bit of hoop jumping just to get everything into nice, easy, comparable time_t integers, but it is worth it from a personal sanity point of view.
The problem here is that Splunk parses a timestamp from the event and stores it into
_time, and you can limit your timerange to a specific range of
_time values using
latest=. But, it doesn't implicitly see any other timestamp in the event as anything other than a string. You have to do something to parse it into something that is comparable.