Splunk Search

Searching for all events before a specific date specified in the search string

Splunk Employee
Splunk Employee

I have a search where I have been using "latesttime=-2d@d" to specify the time range, like so:

... latesttime=-2d@d

This works great, but now, however, I wish to change this to an absolute date, not relative to the time the search is made. I understand I could use the following pattern:

... _time<=123456789

But I would really like to avoid explicitly stating an epoch time if I can. Is there a function to eval that I'm missing that allows me to convert a date-string into epoch time that I could use, or is there some other pattern altogether that I should be using?

To expand somewhat on the use case in question:

The search itself needs to contain two different timespans, a search that will use |accum over a large timespan, and then charting all changes to it during another specific timespan. My approach is thus:

... earliest=-6mon latest="$end$" | timechart eval(sum(x)-sum(y)) as x | accum x as total | eval start="$start$" | convert mktime(start) | where _time>=start

Where $end$ and $start$ are supplied by the user in a form search.

The thinking is that we accumulate a starting value for our total-field that reaches far in the past. However, when we want to plot this, we are only interested in what value total had within a certain time window ($start, $end).

I hope that sheds some light on the problem, and as you can see, this current approach includes both the suggestions of gkanapathy and Simeon. It is, however a shame to note, that $end$ and $start$ here require different time formats (one of them needs ":" between YYYY and HH, while the other requires a space)

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

You can simply express a time parameter like this:

sourcetype=xyz latest="05/31/2010:11:28:12"

to specify an absolute time. Sorry, US date format. If you want a different one, you can do this:

sourcetype=xyz timeformat="%Y-%m-%dT%H:%M:%S" latest="2010-06-15T12:34:56"

Note that timeformat must come before the time in the search string.

View solution in original post

Splunk Employee
Splunk Employee

Added a longer description of the usecase.

0 Karma

SplunkTrust
SplunkTrust

NOTE: If you're using the UI, i really recommend sticking with the absolute time functionality in TimeRangePicker > Custom Time. If you use time terms in the searchstring the UI will nag you about it with that little blue bar from now to eternity.

0 Karma

Splunk Employee
Splunk Employee

You can simply express a time parameter like this:

sourcetype=xyz latest="05/31/2010:11:28:12"

to specify an absolute time. Sorry, US date format. If you want a different one, you can do this:

sourcetype=xyz timeformat="%Y-%m-%dT%H:%M:%S" latest="2010-06-15T12:34:56"

Note that timeformat must come before the time in the search string.

View solution in original post

Splunk Employee
Splunk Employee

If you can detail your exact data set and use case, the answer will be that much more detailed.

0 Karma

Splunk Employee
Splunk Employee

You would use the convert command with mktime function:

... | convert mktime(your_time_field)

More details here:

http://www.splunk.com/base/Documentation/latest/SearchReference/Convert

The opposite command is the ctime function.

0 Karma