Splunk Search

Trying to add static date to time.conf

Engager

I have tried to modify my time.conf to have a static set of dates I can select. I added the following to my time.conf file:
[demolast7]
label = Demo Last 7 Days
headerlabel = in the last 7 days
earliest
time = "02/04/2013:00:00:00"
latest_time = "02/11/2013:09:00:00"
order = 200

I have tried this with/without quotes. I tried with a space between date and time. I also tried adding .0000 after the time. Nothing works, I always get "invalid earliest_time" in the ui. Any suggestions on how I can select a static date range from the dropdown in the app?

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

I believe that you can specify absolute timeranges in times.conf, but you have to specify them as epochtime values.

To convert your two times to epochtime I'd need to know your timezone, however for the sake of giving an answer, if your timezone was GMT, I believe your config for those two times would look like:

[demo_last_7]
label = Demo Last 7 Days
header_label = in the last 7 days
earliest_time = 1359936000
latest_time = 1360573200
order = 200

A number of online converters are available that can take dates to epochtime integers and vice versa.

View solution in original post

SplunkTrust
SplunkTrust

I believe that you can specify absolute timeranges in times.conf, but you have to specify them as epochtime values.

To convert your two times to epochtime I'd need to know your timezone, however for the sake of giving an answer, if your timezone was GMT, I believe your config for those two times would look like:

[demo_last_7]
label = Demo Last 7 Days
header_label = in the last 7 days
earliest_time = 1359936000
latest_time = 1360573200
order = 200

A number of online converters are available that can take dates to epochtime integers and vice versa.

View solution in original post

SplunkTrust
SplunkTrust

Well I think it's trying to talk about two different things. in times.conf you're specifying time arguments for the search API, in the way that they're supposed to be sent. When you type earliest="" and latest="" into the actual search, that's kind-of legacy functionality. And in the search string there's a default timeformat that it can use to translate the time to epochtime, but in times.conf there's no timeformat anywhere for it to pick up on.

Engager

Thank you, that works. Looks like the documentation is incorrect. I got the date time format from the following help page:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers

That should probably be updated

0 Karma