Splunk Search

Specifying a date range in field extraction window

Path Finder

Hey guys,

I am looking through a very very very large log of files for events. In the normal search screen, you can specify date ranges for your search, but in the field extraction screen, I cannot specify a range of dates to search through when I am searching for the sample event using the filter, so it searches through all (something like 200 million) events in order to find the string I am searching for. I know the date the event occurs on, and can find it in a normal search instantly, but not with the field extraction screen.

I have tried adding earliest=10/19/2009:0:0:0 latest=01/17/2016:0:0:0 to find the events, but it always just returns 0 events (before 1/18/16 7:29:48.000 PM). Is there a way to specify date ranges inside of the field extraction filter so that I dont have to filter through everything?

When I add that filter from above, I am searching for an event structured like this Jan 15 13:54:23 |actual error message|

Thanks

0 Karma
1 Solution

SplunkTrust
SplunkTrust

If I perform a search and drill my way down to a particular time frame (In my currently open test on my laptop - " 2 events (12/15/15 1:00:00.000 AM to 12/15/15 2:00:00.000 AM) "), then click "Extract New Fields" from the bottom of the fields list on the left, it takes me to a "Extract Fields, Select Sample" page with only the two events I had selected showing.

I can change my timeframe in search and repeat clicking the "Extract New Fields" with various numbers of events showing, but always that count matches what I had displayed in the search before.

Does it not do this for you? Are you getting to the field extractor via some other method?

View solution in original post

SplunkTrust
SplunkTrust

If I perform a search and drill my way down to a particular time frame (In my currently open test on my laptop - " 2 events (12/15/15 1:00:00.000 AM to 12/15/15 2:00:00.000 AM) "), then click "Extract New Fields" from the bottom of the fields list on the left, it takes me to a "Extract Fields, Select Sample" page with only the two events I had selected showing.

I can change my timeframe in search and repeat clicking the "Extract New Fields" with various numbers of events showing, but always that count matches what I had displayed in the search before.

Does it not do this for you? Are you getting to the field extractor via some other method?

View solution in original post

Path Finder

Ah that did it. I was manually navigating to it through the settings menu. Thank you.

0 Karma

Path Finder

If you post that as an answer ill accept it.

0 Karma

SplunkTrust
SplunkTrust

Done, thanks, and glad I could help!

0 Karma

SplunkTrust
SplunkTrust

What version of Splunk you're using??

0 Karma

Path Finder

Splunk Enterprise Server 6.3.2

The filter they give only goes back 1 week, I need to go back months.

0 Karma