Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Specifying a date range in field extraction window

Spiere
Path Finder
‎01-18-2016 11:31 AM

Hey guys,

I am looking through a very very very large log of files for events. In the normal search screen, you can specify date ranges for your search, but in the field extraction screen, I cannot specify a range of dates to search through when I am searching for the sample event using the filter, so it searches through all (something like 200 million) events in order to find the string I am searching for. I know the date the event occurs on, and can find it in a normal search instantly, but not with the field extraction screen.

I have tried adding earliest=10/19/2009:0:0:0 latest=01/17/2016:0:0:0 to find the events, but it always just returns 0 events (before 1/18/16 7:29:48.000 PM). Is there a way to specify date ranges inside of the field extraction filter so that I dont have to filter through everything?

When I add that filter from above, I am searching for an event structured like this Jan 15 13:54:23 |actual error message|

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎01-18-2016 01:03 PM

If I perform a search and drill my way down to a particular time frame (In my currently open test on my laptop - " 2 events (12/15/15 1:00:00.000 AM to 12/15/15 2:00:00.000 AM) "), then click "Extract New Fields" from the bottom of the fields list on the left, it takes me to a "Extract Fields, Select Sample" page with only the two events I had selected showing.

I can change my timeframe in search and repeat clicking the "Extract New Fields" with various numbers of events showing, but always that count matches what I had displayed in the search before.

Does it not do this for you? Are you getting to the field extractor via some other method?

View solution in original post

Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎01-18-2016 01:03 PM

If I perform a search and drill my way down to a particular time frame (In my currently open test on my laptop - " 2 events (12/15/15 1:00:00.000 AM to 12/15/15 2:00:00.000 AM) "), then click "Extract New Fields" from the bottom of the fields list on the left, it takes me to a "Extract Fields, Select Sample" page with only the two events I had selected showing.

I can change my timeframe in search and repeat clicking the "Extract New Fields" with various numbers of events showing, but always that count matches what I had displayed in the search before.

Does it not do this for you? Are you getting to the field extractor via some other method?

Reply
Solved! Jump to solution

Spiere
Path Finder
‎01-19-2016 10:20 AM

Ah that did it. I was manually navigating to it through the settings menu. Thank you.

0 Karma
Reply
Solved! Jump to solution

Spiere
Path Finder
‎01-19-2016 10:21 AM

If you post that as an answer ill accept it.

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎01-19-2016 10:26 AM

Done, thanks, and glad I could help!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-18-2016 12:38 PM

What version of Splunk you're using??

0 Karma
Reply
Solved! Jump to solution

Spiere
Path Finder
‎01-18-2016 12:41 PM

Splunk Enterprise Server 6.3.2

The filter they give only goes back 1 week, I need to go back months.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...