Splunk Search
Highlighted

Searching for all events before a specific date specified in the search string

Splunk Employee
Splunk Employee

I have a search where I have been using "latesttime=-2d@d" to specify the time range, like so:

... latesttime=-2d@d

This works great, but now, however, I wish to change this to an absolute date, not relative to the time the search is made. I understand I could use the following pattern:

... _time<=123456789

But I would really like to avoid explicitly stating an epoch time if I can. Is there a function to eval that I'm missing that allows me to convert a date-string into epoch time that I could use, or is there some other pattern altogether that I should be using?

To expand somewhat on the use case in question:

The search itself needs to contain two different timespans, a search that will use |accum over a large timespan, and then charting all changes to it during another specific timespan. My approach is thus:

... earliest=-6mon latest="$end$" | timechart eval(sum(x)-sum(y)) as x | accum x as total | eval start="$start$" | convert mktime(start) | where _time>=start

Where $end$ and $start$ are supplied by the user in a form search.

The thinking is that we accumulate a starting value for our total-field that reaches far in the past. However, when we want to plot this, we are only interested in what value total had within a certain time window ($start, $end).

I hope that sheds some light on the problem, and as you can see, this current approach includes both the suggestions of gkanapathy and Simeon. It is, however a shame to note, that $end$ and $start$ here require different time formats (one of them needs ":" between YYYY and HH, while the other requires a space)

Tags (2)
Highlighted

Re: Searching for all events before a specific date specified in the search string

Splunk Employee
Splunk Employee

You would use the convert command with mktime function:

... | convert mktime(your_time_field)

More details here:

http://www.splunk.com/base/Documentation/latest/SearchReference/Convert

The opposite command is the ctime function.

0 Karma
Highlighted

Re: Searching for all events before a specific date specified in the search string

Splunk Employee
Splunk Employee

If you can detail your exact data set and use case, the answer will be that much more detailed.

0 Karma
Highlighted

Re: Searching for all events before a specific date specified in the search string

Splunk Employee
Splunk Employee

You can simply express a time parameter like this:

sourcetype=xyz latest="05/31/2010:11:28:12"

to specify an absolute time. Sorry, US date format. If you want a different one, you can do this:

sourcetype=xyz timeformat="%Y-%m-%dT%H:%M:%S" latest="2010-06-15T12:34:56"

Note that timeformat must come before the time in the search string.

View solution in original post

Highlighted

Re: Searching for all events before a specific date specified in the search string

SplunkTrust
SplunkTrust

NOTE: If you're using the UI, i really recommend sticking with the absolute time functionality in TimeRangePicker > Custom Time. If you use time terms in the searchstring the UI will nag you about it with that little blue bar from now to eternity.

0 Karma
Highlighted

Re: Searching for all events before a specific date specified in the search string

Splunk Employee
Splunk Employee

Added a longer description of the usecase.

0 Karma