Splunk Search
Highlighted

What's the correct search syntax for my earliest and latest date range?

Path Finder

For example, I need to search for all rehire dates between 12-01-2014 through 12-31-2014

"rehire date"=earliest="12/01/2014:00:00:00" latest="12/31/2014:00:00:00"

What am I doing wrong in the above syntax?

0 Karma
Highlighted

Re: What's the correct search syntax for my earliest and latest date range?

SplunkTrust
SplunkTrust

Drop the equals sign between your string "rehire date" and the earliest="..." and you should be good.

Edit: Now that rehire_date has been confirmed as an extracted field that's different from _time, using the earliest and latest filters is not going to work. Instead, you'll need to set your time range as wide as necessary to match your event's _time values and run a search like this:

keywords that identify your events | where rehire_date >= strptime("12/01/2014", "%m/%d/%Y") AND rehire_date < strptime("01/01/2015", "%m/%d/%Y")

Note, I have added a day to the end because you mentioned "through 12/31/2014", implying that rehires that happen on the 31st should still be found.

View solution in original post

Highlighted

Re: What's the correct search syntax for my earliest and latest date range?

Path Finder

Remove the equal sign after the "rehire date" ?

For example,

"rehire date" earliest="12/01/2014:00:00:00" latest="12/31/2014:00:00:00"

Or should I be adding another "=" between

I'm trying to find all rehires between 12/01/2014 through 12/31/2014. I'm getting 0 events when I know I should between getting at least 4 people that come up.

0 Karma
Highlighted

Re: What's the correct search syntax for my earliest and latest date range?

Contributor

you have to change the earliest and latest values in the below query and try

eval begindate="$earliest$" | eval epochdaystart=if(isnum(begindate), begindate, relativetime(now(), begindate)) | eval epochdaystart= strftime(epochdaystart,"%Y%m%d") | eval dateepoch=strftime(time,"%Y%m%d") | eval latest="$latest$" | eval enddate=if(latest=="now","@d",latest) | eval epochdayend=if(isnum(enddate), enddate, relative_time(now(), enddate)) | eval epochdayend= strftime(epochdayend,"%Y%m%d") | where dateepoch >=epochdaystart AND dateepoch <=epochdayend

0 Karma
Highlighted

Re: What's the correct search syntax for my earliest and latest date range?

SplunkTrust
SplunkTrust

I have updated my answer to reflect that the rehire date is in fact not the timestamp of the event but rather an unrelated extracted field.

0 Karma
Highlighted

Re: What's the correct search syntax for my earliest and latest date range?

Path Finder

Thank you! I was able to find the correct number of people using the following:

"Rehire Date">="2014/12/01 00:00:00" AND "Rehire Date"<"2015/01/01 00:00:00"

Highlighted

Re: What's the correct search syntax for my earliest and latest date range?

SplunkTrust
SplunkTrust

Is "rehire date" an extracted field? Is timestamp for your events is same as "rehire date" ? Can you post some sample entries?

Highlighted

Re: What's the correct search syntax for my earliest and latest date range?

Path Finder

Yes, the "rehire date" is an extracted field. The timestamp of the events is a different date as the "rehire date

to post the sample I'd have to reproduce something fake.

0 Karma