Splunk Search

Splunk Java SDK - query time range

New Member

I'm using Java SDK to query splunk. I'm getting proper results when I don't give time range to the search query. But when I specify time range I find that the results that are returned doesn't match the time that I give. It always returns the newest results irrespective of the date range that I specify.

Args outputArgs = new Args();
outputArgs.put("outputmode", outputMode);
outputArgs.put("earliest
time", "2013-07-29T12:00:00.000");
outputArgs.put("latest_time", "2013-07-30T12:00:00.000");

I tried with relative time and also with the time format - %m/%d/%Y:%H:%M:%S (for this i receive a invalid earliest_time exception).Can you please let me know if the time format that I have specified is not proper. Or do I need to have some additional code to specify time range.

Thanks in advance.

0 Karma

New Member

I am facing the same problem. How did you fix it? Can you please help us.

0 Karma

New Member

Can you share your query.

I want to run from 08/23/2015 00:00:00 to 09/22/2015 23:59:59

0 Karma

Splunk Employee
Splunk Employee

It could be that you need to specify timezone offset in the time string. Below is an example:

2013-08-15T20:16:18.208-07:00

"-07:00" is the offset of US Pacific time with Daylight Saving to UTC.

To get an example of time format from your Splunk system, take a look on the value of _time field of an event. The above time string is from a _time field from my system.

You can also specify a relative time, such as "-3d" (day) and "-3h" (hour).

0 Karma

Splunk Employee
Splunk Employee

You probably should use -7:00 offset. It is UC Pacific Daylight Saving time (I have modified my earlier comment to avoid confusion). That is what your _time attribute has. If it does not work, try the following to isolate the problem.

  1. Issuing a search without time range.
  2. Take _time field value from an event from that search and specify the time range accordingly. Run the search again.

You can set the earliesttime to be the same as the value of the event _time field, and latesttime to be a millisecond larger (Splunk requires latesttime to be larger than earliesttime).

0 Karma

New Member

Thanks for the reply. Its still the same even after giving -08:00 offset. I'm getting only the latest generated log data. And for the _time attribute I'm also getting -07:00 offset.
_time --> 2013-08-15T18:34:06.254-07:00
Will I be missing anyother thing because of which the data is not getting filtered properly based on time.

0 Karma