Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Java SDK - help with query time range?

arunstg1
New Member
‎08-15-2013 04:02 PM

I'm using Java SDK to query splunk. I'm getting proper results when I don't give time range to the search query. But when I specify time range I find that the results that are returned doesn't match the time that I give. It always returns the newest results irrespective of the date range that I specify.

Args outputArgs = new Args();
outputArgs.put("output_mode", outputMode);
outputArgs.put("earliest_time", "2013-07-29T12:00:00.000");
outputArgs.put("latest_time", "2013-07-30T12:00:00.000");

I tried with relative time and also with the time format - %m/%d/%Y:%H:%M:%S (for this i receive a invalid earliest_time exception).Can you please let me know if the time format that I have specified is not proper. Or do I need to have some additional code to specify time range.

Thanks in advance.

0 Karma
Reply

ansuhane
New Member
‎11-28-2022 09:29 PM

I also need answer for this question, product team, please suggest

0 Karma
Reply

skarthi98
New Member
‎09-21-2015 10:29 AM

I am facing the same problem. How did you fix it? Can you please help us.

0 Karma
Reply

skarthi98
New Member
‎09-21-2015 10:30 AM

Can you share your query.

I want to run from 08/23/2015 00:00:00 to 09/22/2015 23:59:59

0 Karma
Reply

ywu_splunk
Splunk Employee
Splunk Employee
‎08-15-2013 08:47 PM

It could be that you need to specify timezone offset in the time string. Below is an example:

2013-08-15T20:16:18.208-07:00

"-07:00" is the offset of US Pacific time with Daylight Saving to UTC.

To get an example of time format from your Splunk system, take a look on the value of _time field of an event. The above time string is from a _time field from my system.

You can also specify a relative time, such as "-3d" (day) and "-3h" (hour).

0 Karma
Reply

ywu_splunk
Splunk Employee
Splunk Employee
‎08-16-2013 10:34 AM

You probably should use -7:00 offset. It is UC Pacific Daylight Saving time (I have modified my earlier comment to avoid confusion). That is what your _time attribute has. If it does not work, try the following to isolate the problem.

  1. Issuing a search without time range.
  2. Take _time field value from an event from that search and specify the time range accordingly. Run the search again.

You can set the earliest_time to be the same as the value of the event _time field, and latest_time to be a millisecond larger (Splunk requires latest_time to be larger than earliest_time).

0 Karma
Reply

arunstg1
New Member
‎08-15-2013 09:15 PM

Thanks for the reply. Its still the same even after giving -08:00 offset. I'm getting only the latest generated log data. And for the _time attribute I'm also getting -07:00 offset.
_time --> 2013-08-15T18:34:06.254-07:00
Will I be missing anyother thing because of which the data is not getting filtered properly based on time.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...