Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Java SDK - help with query time range?

arunstg1
New Member
‎08-15-2013 04:02 PM

I'm using Java SDK to query splunk. I'm getting proper results when I don't give time range to the search query. But when I specify time range I find that the results that are returned doesn't match the time that I give. It always returns the newest results irrespective of the date range that I specify.

Args outputArgs = new Args();
outputArgs.put("output_mode", outputMode);
outputArgs.put("earliest_time", "2013-07-29T12:00:00.000");
outputArgs.put("latest_time", "2013-07-30T12:00:00.000");

I tried with relative time and also with the time format - %m/%d/%Y:%H:%M:%S (for this i receive a invalid earliest_time exception).Can you please let me know if the time format that I have specified is not proper. Or do I need to have some additional code to specify time range.

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply

ansuhane
New Member
‎11-28-2022 09:29 PM

I also need answer for this question, product team, please suggest

0 Karma
Reply

skarthi98
New Member
‎09-21-2015 10:29 AM

I am facing the same problem. How did you fix it? Can you please help us.

0 Karma
Reply

skarthi98
New Member
‎09-21-2015 10:30 AM

Can you share your query.

I want to run from 08/23/2015 00:00:00 to 09/22/2015 23:59:59

0 Karma
Reply

ywu_splunk
Splunk Employee
Splunk Employee
‎08-15-2013 08:47 PM

It could be that you need to specify timezone offset in the time string. Below is an example:

2013-08-15T20:16:18.208-07:00

"-07:00" is the offset of US Pacific time with Daylight Saving to UTC.

To get an example of time format from your Splunk system, take a look on the value of _time field of an event. The above time string is from a _time field from my system.

You can also specify a relative time, such as "-3d" (day) and "-3h" (hour).

0 Karma
Reply

ywu_splunk
Splunk Employee
Splunk Employee
‎08-16-2013 10:34 AM

You probably should use -7:00 offset. It is UC Pacific Daylight Saving time (I have modified my earlier comment to avoid confusion). That is what your _time attribute has. If it does not work, try the following to isolate the problem.

  1. Issuing a search without time range.
  2. Take _time field value from an event from that search and specify the time range accordingly. Run the search again.

You can set the earliest_time to be the same as the value of the event _time field, and latest_time to be a millisecond larger (Splunk requires latest_time to be larger than earliest_time).

0 Karma
Reply

arunstg1
New Member
‎08-15-2013 09:15 PM

Thanks for the reply. Its still the same even after giving -08:00 offset. I'm getting only the latest generated log data. And for the _time attribute I'm also getting -07:00 offset.
_time --> 2013-08-15T18:34:06.254-07:00
Will I be missing anyother thing because of which the data is not getting filtered properly based on time.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...