Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Java SDK - help with query time range?

arunstg1
New Member
‎08-15-2013 04:02 PM

I'm using Java SDK to query splunk. I'm getting proper results when I don't give time range to the search query. But when I specify time range I find that the results that are returned doesn't match the time that I give. It always returns the newest results irrespective of the date range that I specify.

Args outputArgs = new Args();
outputArgs.put("output_mode", outputMode);
outputArgs.put("earliest_time", "2013-07-29T12:00:00.000");
outputArgs.put("latest_time", "2013-07-30T12:00:00.000");

I tried with relative time and also with the time format - %m/%d/%Y:%H:%M:%S (for this i receive a invalid earliest_time exception).Can you please let me know if the time format that I have specified is not proper. Or do I need to have some additional code to specify time range.

Thanks in advance.

0 Karma
Reply

ansuhane
New Member
‎11-28-2022 09:29 PM

I also need answer for this question, product team, please suggest

0 Karma
Reply

skarthi98
New Member
‎09-21-2015 10:29 AM

I am facing the same problem. How did you fix it? Can you please help us.

0 Karma
Reply

skarthi98
New Member
‎09-21-2015 10:30 AM

Can you share your query.

I want to run from 08/23/2015 00:00:00 to 09/22/2015 23:59:59

0 Karma
Reply

ywu_splunk
Splunk Employee
Splunk Employee
‎08-15-2013 08:47 PM

It could be that you need to specify timezone offset in the time string. Below is an example:

2013-08-15T20:16:18.208-07:00

"-07:00" is the offset of US Pacific time with Daylight Saving to UTC.

To get an example of time format from your Splunk system, take a look on the value of _time field of an event. The above time string is from a _time field from my system.

You can also specify a relative time, such as "-3d" (day) and "-3h" (hour).

0 Karma
Reply

ywu_splunk
Splunk Employee
Splunk Employee
‎08-16-2013 10:34 AM

You probably should use -7:00 offset. It is UC Pacific Daylight Saving time (I have modified my earlier comment to avoid confusion). That is what your _time attribute has. If it does not work, try the following to isolate the problem.

  1. Issuing a search without time range.
  2. Take _time field value from an event from that search and specify the time range accordingly. Run the search again.

You can set the earliest_time to be the same as the value of the event _time field, and latest_time to be a millisecond larger (Splunk requires latest_time to be larger than earliest_time).

0 Karma
Reply

arunstg1
New Member
‎08-15-2013 09:15 PM

Thanks for the reply. Its still the same even after giving -08:00 offset. I'm getting only the latest generated log data. And for the _time attribute I'm also getting -07:00 offset.
_time --> 2013-08-15T18:34:06.254-07:00
Will I be missing anyother thing because of which the data is not getting filtered properly based on time.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...