Why are Time Modifiers not working with SPL CLI?

tracieed_nord · ‎10-10-2018

Doing a search on CLI with time range modifiers does not seem to work.

I have tried earliest_time/latest_time and index_earliest/index_latest.

I have tired formatting mm/dd/yyy and yyyy-mm-dd.

Format of command is: /opt/splunk/bin/splunk search 'search details' earliest_time=yyyy-mm-dd latest_time=yyyy-mm-dd.

The search works as expected w/out the time range modifiers - and of course works via web. When I try this earliest_time=2018-05-01 latest_time=2018-06-01 max_out=0 I get results from 09/13??

I am running this on the search head in a distributed environment.

Vijeta · ‎10-10-2018

you need to convert time using strftime and then compare with earliest and latest instead of earliest_time and latest_time
eval time = strftime(, "%Y-%m-%d")

tracieed_nord · ‎10-10-2018

As far as I know, "earliest/latest" are not supported in CLI searches - according to the documentation? And why do I have to convert?
Thanx

Vijeta · ‎10-10-2018

The conversion needs to be done as the time values is considered in seconds format. You can use

eval start_time = strftime("2018-05-01", "%Y-%m-%d") | eval end_time=strftime("2018-06-01", "%Y-%m-%d")|
where ( _time > start_time and _time < end_time)

Why are Time Modifiers not working with SPL CLI?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

Why are Time Modifiers not working with SPL CLI?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25