Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why are there no results when time range is set between anything less than time posted?

angshul
Path Finder
‎11-04-2019 12:06 PM

I am plotting a timechart based on a datetime field (timestamp) in the event.
The search looks like:

* "logname=customlog"
| fields host, SourceName, EventCode, EventType, Type, ComputerName, TaskCategory, OpCode, RecordNumber, Keywords, Message 
| spath input=Message output=EventMessage path=Message 
| spath input=Message  output=event_id path=event_id 
| spath input=Message output=timestamp path=timestamp 
| eval NewTime=strptime(timestamp,"%Y-%m-%d %H:%M:%S") 
| eval _time=NewTime 
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
| timechart count by event_id

Events in my data are between Feb'2011 and Mar'2011. This works fine for "All Time" but when I set time range between anything less than the time when I posted the data I get no results. Seems like _time is not getting overridden by the search as intended.

Can you someone please help?

0 Karma
Reply

arjunpkishore5
Motivator
‎11-06-2019 04:36 PM

Can you try changing your where clause to the following

| where _time>=info_min_time AND _time<=if(info_max_time=="+Infinity", now(), info_max_time)

Let me know if this works. If not, please post a sample of your data.

Cheers.

0 Karma
Reply

angshul
Path Finder
‎11-12-2019 10:01 AM

It is still the same. My sample event is like following:

11/05/2019 01:06:16 PM
LogName=CustomLog
SourceName=WindowsEventSource
EventCode=256
EventType=4
Type=Information
TaskCategory=Network Events
OpCode=None
RecordNumber=20445
Keywords=Classic
Message={
"country" : "Central African Republic",
"description" : "successfully completed.",
"deviceId" : "38",
"event_id" : "41",
"id" : "9999",
"logtype" : "Info",
"msgqnum" : "0",
"severity" : "High",
"source" : "mySource",
"system_state" : "S4/S5",
"timestamp" : "2011-02-19 15:22:23",
"timestamp_accuracy" : "Accurate"
}

As you can see the event has date time of event posting: 11/05/2019 01:06:16 PM and there is datetime in the json field Message["timestamp"] I want all time range comparisons to be done wrt Message["timestamp"] and totally ignore the event posting datetime. is it possible?

0 Karma
Reply

woodcock
Esteemed Legend
‎11-04-2019 07:53 PM

Like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND "logname=customlog" earliest=0 latest=now
| spath input=Message output=EventMessage path=Message 
| spath input=Message  output=event_id path=event_id 
| spath input=Message output=timestamp path=timestamp 
| eval _time=strptime(timestamp,"%Y-%m-%d %H:%M:%S") 
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
| timechart count BY event_id
0 Karma
Reply

angshul
Path Finder
‎11-05-2019 08:50 AM

Same result. The date range gives no result. The date range still works on the time when I posted the data, if the time of posting is within the bounds of posting datetime then I see all the results. timestamp in my posted data is from Feb 2011 to Mar 2011 and I posted data yesterday so any date range before yesterday as end time gives me 0 results

0 Karma
Reply

woodcock
Esteemed Legend
‎11-05-2019 05:29 PM

Did you post my answer exactly? The key part is the earliest=0 latest=now. You must have that part.

0 Karma
Reply

angshul
Path Finder
‎11-12-2019 10:07 AM

Adding 

earliest=0 latest=now
always returns all the events but that is not what I want. I want the date range filter to be applied against the json in the event (Message["timestamp"] in the sample event below):

11/05/2019 01:06:16 PM
LogName=CustomLog
SourceName=WindowsEventSource
EventCode=256
EventType=4
Type=Information
TaskCategory=Network Events
OpCode=None
RecordNumber=20445
Keywords=Classic
Message={
"country" : "Central African Republic",
"description" : "successfully completed.",
"deviceId" : "38",
"event_id" : "41",
"id" : "9999",
"logtype" : "Info",
"msgqnum" : "0",
"severity" : "High",
"source" : "mySource",
"system_state" : "S4/S5",
"timestamp" : "2011-02-19 15:22:23",
"timestamp_accuracy" : "Accurate"
}

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...