I'm using Java SDK to query splunk. I'm getting proper results when I don't give time range to the search query. But when I specify time range I find that the results that are returned doesn't match the time that I give. It always returns the newest results irrespective of the date range that I specify.
Args outputArgs = new Args();
I tried with relative time and also with the time format - %m/%d/%Y:%H:%M:%S (for this i receive a invalid earliest_time exception).Can you please let me know if the time format that I have specified is not proper. Or do I need to have some additional code to specify time range.
Thanks in advance.
It could be that you need to specify timezone offset in the time string. Below is an example:
"-07:00" is the offset of US Pacific time with Daylight Saving to UTC.
To get an example of time format from your Splunk system, take a look on the value of _time field of an event. The above time string is from a _time field from my system.
You can also specify a relative time, such as "-3d" (day) and "-3h" (hour).
You probably should use -7:00 offset. It is UC Pacific Daylight Saving time (I have modified my earlier comment to avoid confusion). That is what your _time attribute has. If it does not work, try the following to isolate the problem.
You can set the earliest_time to be the same as the value of the event _time field, and latest_time to be a millisecond larger (Splunk requires latest_time to be larger than earliest_time).
Thanks for the reply. Its still the same even after giving -08:00 offset. I'm getting only the latest generated log data. And for the _time attribute I'm also getting -07:00 offset.
_time --> 2013-08-15T18:34:06.254-07:00
Will I be missing anyother thing because of which the data is not getting filtered properly based on time.