Splunk Search

Specifying a date range in field extraction window

Spiere
Path Finder

Hey guys,

I am looking through a very very very large log of files for events. In the normal search screen, you can specify date ranges for your search, but in the field extraction screen, I cannot specify a range of dates to search through when I am searching for the sample event using the filter, so it searches through all (something like 200 million) events in order to find the string I am searching for. I know the date the event occurs on, and can find it in a normal search instantly, but not with the field extraction screen.

I have tried adding earliest=10/19/2009:0:0:0 latest=01/17/2016:0:0:0 to find the events, but it always just returns 0 events (before 1/18/16 7:29:48.000 PM). Is there a way to specify date ranges inside of the field extraction filter so that I dont have to filter through everything?

When I add that filter from above, I am searching for an event structured like this Jan 15 13:54:23 |actual error message|

Thanks

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

If I perform a search and drill my way down to a particular time frame (In my currently open test on my laptop - " 2 events (12/15/15 1:00:00.000 AM to 12/15/15 2:00:00.000 AM) "), then click "Extract New Fields" from the bottom of the fields list on the left, it takes me to a "Extract Fields, Select Sample" page with only the two events I had selected showing.

I can change my timeframe in search and repeat clicking the "Extract New Fields" with various numbers of events showing, but always that count matches what I had displayed in the search before.

Does it not do this for you? Are you getting to the field extractor via some other method?

View solution in original post

Richfez
SplunkTrust
SplunkTrust

If I perform a search and drill my way down to a particular time frame (In my currently open test on my laptop - " 2 events (12/15/15 1:00:00.000 AM to 12/15/15 2:00:00.000 AM) "), then click "Extract New Fields" from the bottom of the fields list on the left, it takes me to a "Extract Fields, Select Sample" page with only the two events I had selected showing.

I can change my timeframe in search and repeat clicking the "Extract New Fields" with various numbers of events showing, but always that count matches what I had displayed in the search before.

Does it not do this for you? Are you getting to the field extractor via some other method?

Spiere
Path Finder

Ah that did it. I was manually navigating to it through the settings menu. Thank you.

0 Karma

Spiere
Path Finder

If you post that as an answer ill accept it.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Done, thanks, and glad I could help!

0 Karma

somesoni2
Revered Legend

What version of Splunk you're using??

0 Karma

Spiere
Path Finder

Splunk Enterprise Server 6.3.2

The filter they give only goes back 1 week, I need to go back months.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...