- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the proper syntax to pass time parameters in a search via CLI?
I am trying to run the search command at the CLI, passing a time range. I've studied all the docs and answers I can find on how to pass time parameters, but none seem to work. Either no results come back or results for all time come back.
What is the proper syntax for passing time parameters?
Here are a few permutations I have tried with no success.
splunk search 'index=pan_logs log_subtype=url user="donald.duck" -earlist_time=”9/20/2015:00:00:00” -latest_time=”9/21/2015:00:00:00”’
splunk search 'index=pan_logs log_subtype=url user="donald.duck" -earlist=”9/20/2015:00:00:00” -latest=”9/21/2015:00:00:00”’
splunk search 'index=pan_logs log_subtype=url user="donald.duck"’ –index_earliest ‘1442646000’ -index_latest ‘1442818800 ‘
splunk search 'index=pan_logs log_subtype=url user="donald.duck" -earlist_time ”9/20/2015:00:00:00” -latest_time ”9/21/2015:00:00:00”’
splunk search 'index=pan_logs log_subtype=url user="donald.duck"’ –index_earliest=‘1442646000’ -index_latest=‘1442818800 ‘
What am I doing wrongs?????
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/3bee0/3bee01efbaf85c18b7d7eb9c14295237155e1bed" alt="masonmorales masonmorales"
You have a typo in earliest:
-earlist_time=”9/20/2015:00:00:00”
And you should be able to specify the time range as part of the search:
splunk search 'index=pan_logs user="donald.duck" earliest=09/20/2015:00:00:00 latest=09/21/2015:00:00:00'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/3bee0/3bee01efbaf85c18b7d7eb9c14295237155e1bed" alt="masonmorales masonmorales"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi! Thanks for the quick response! Unfortunately, your syntax did not work either. I read the document you reference as well as a number of posts on answers; there are a number of formats shown between these sources but none seem to work.
I don't get an error with your syntax but I do not get any events. And I know there are events for my search in the time period specified.
Any other thoughts?
data:image/s3,"s3://crabby-images/d7f73/d7f73632dd731f9b3dd280d9d048df61ba67932c" alt=""