Splunk Search

Why are there no results when time range is set between anything less than time posted?

angshul
Path Finder

I am plotting a timechart based on a datetime field (timestamp) in the event.
The search looks like:

* "logname=customlog"
| fields host, SourceName, EventCode, EventType, Type, ComputerName, TaskCategory, OpCode, RecordNumber, Keywords, Message 
| spath input=Message output=EventMessage path=Message 
| spath input=Message  output=event_id path=event_id 
| spath input=Message output=timestamp path=timestamp 
| eval NewTime=strptime(timestamp,"%Y-%m-%d %H:%M:%S") 
| eval _time=NewTime 
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
| timechart count by event_id

Events in my data are between Feb'2011 and Mar'2011. This works fine for "All Time" but when I set time range between anything less than the time when I posted the data I get no results. Seems like _time is not getting overridden by the search as intended.

Can you someone please help?

0 Karma

arjunpkishore5
Motivator

Can you try changing your where clause to the following

| where _time>=info_min_time AND _time<=if(info_max_time=="+Infinity", now(), info_max_time) 

Let me know if this works. If not, please post a sample of your data.

Cheers.

0 Karma

angshul
Path Finder

It is still the same. My sample event is like following:

11/05/2019 01:06:16 PM
LogName=CustomLog
SourceName=WindowsEventSource
EventCode=256
EventType=4
Type=Information
TaskCategory=Network Events
OpCode=None
RecordNumber=20445
Keywords=Classic
Message={
"country" : "Central African Republic",
"description" : "successfully completed.",
"deviceId" : "38",
"event_id" : "41",
"id" : "9999",
"logtype" : "Info",
"msgqnum" : "0",
"severity" : "High",
"source" : "mySource",
"system_state" : "S4/S5",
"timestamp" : "2011-02-19 15:22:23",
"timestamp_accuracy" : "Accurate"
}

As you can see the event has date time of event posting: 11/05/2019 01:06:16 PM and there is datetime in the json field Message["timestamp"] I want all time range comparisons to be done wrt Message["timestamp"] and totally ignore the event posting datetime. is it possible?

0 Karma

woodcock
Esteemed Legend

Like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND "logname=customlog" earliest=0 latest=now
| spath input=Message output=EventMessage path=Message 
| spath input=Message  output=event_id path=event_id 
| spath input=Message output=timestamp path=timestamp 
| eval _time=strptime(timestamp,"%Y-%m-%d %H:%M:%S") 
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
| timechart count BY event_id
0 Karma

angshul
Path Finder

Same result. The date range gives no result. The date range still works on the time when I posted the data, if the time of posting is within the bounds of posting datetime then I see all the results. timestamp in my posted data is from Feb 2011 to Mar 2011 and I posted data yesterday so any date range before yesterday as end time gives me 0 results

0 Karma

woodcock
Esteemed Legend

Did you post my answer exactly? The key part is the earliest=0 latest=now. You must have that part.

0 Karma

angshul
Path Finder

Adding

earliest=0 latest=now
always returns all the events but that is not what I want. I want the date range filter to be applied against the json in the event (Message["timestamp"] in the sample event below):

11/05/2019 01:06:16 PM
LogName=CustomLog
SourceName=WindowsEventSource
EventCode=256
EventType=4
Type=Information
TaskCategory=Network Events
OpCode=None
RecordNumber=20445
Keywords=Classic
Message={
"country" : "Central African Republic",
"description" : "successfully completed.",
"deviceId" : "38",
"event_id" : "41",
"id" : "9999",
"logtype" : "Info",
"msgqnum" : "0",
"severity" : "High",
"source" : "mySource",
"system_state" : "S4/S5",
"timestamp" : "2011-02-19 15:22:23",
"timestamp_accuracy" : "Accurate"
}

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...