Splunk Search

Why are there no results when time range is set between anything less than time posted?

Path Finder

I am plotting a timechart based on a datetime field (timestamp) in the event.
The search looks like:

* "logname=customlog"
| fields host, SourceName, EventCode, EventType, Type, ComputerName, TaskCategory, OpCode, RecordNumber, Keywords, Message 
| spath input=Message output=EventMessage path=Message 
| spath input=Message  output=event_id path=event_id 
| spath input=Message output=timestamp path=timestamp 
| eval NewTime=strptime(timestamp,"%Y-%m-%d %H:%M:%S") 
| eval _time=NewTime 
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
| timechart count by event_id

Events in my data are between Feb'2011 and Mar'2011. This works fine for "All Time" but when I set time range between anything less than the time when I posted the data I get no results. Seems like _time is not getting overridden by the search as intended.

Can you someone please help?

0 Karma

Motivator

Can you try changing your where clause to the following

| where _time>=info_min_time AND _time<=if(info_max_time=="+Infinity", now(), info_max_time) 

Let me know if this works. If not, please post a sample of your data.

Cheers.

0 Karma

Path Finder

It is still the same. My sample event is like following:

11/05/2019 01:06:16 PM
LogName=CustomLog
SourceName=WindowsEventSource
EventCode=256
EventType=4
Type=Information
TaskCategory=Network Events
OpCode=None
RecordNumber=20445
Keywords=Classic
Message={
"country" : "Central African Republic",
"description" : "successfully completed.",
"deviceId" : "38",
"eventid" : "41",
"id" : "9999",
"logtype" : "Info",
"msgqnum" : "0",
"severity" : "High",
"source" : "mySource",
"system
state" : "S4/S5",
"timestamp" : "2011-02-19 15:22:23",
"timestamp_accuracy" : "Accurate"
}

As you can see the event has date time of event posting: 11/05/2019 01:06:16 PM and there is datetime in the json field Message["timestamp"] I want all time range comparisons to be done wrt Message["timestamp"] and totally ignore the event posting datetime. is it possible?

0 Karma

Esteemed Legend

Like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND "logname=customlog" earliest=0 latest=now
| spath input=Message output=EventMessage path=Message 
| spath input=Message  output=event_id path=event_id 
| spath input=Message output=timestamp path=timestamp 
| eval _time=strptime(timestamp,"%Y-%m-%d %H:%M:%S") 
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
| timechart count BY event_id
0 Karma

Path Finder

Same result. The date range gives no result. The date range still works on the time when I posted the data, if the time of posting is within the bounds of posting datetime then I see all the results. timestamp in my posted data is from Feb 2011 to Mar 2011 and I posted data yesterday so any date range before yesterday as end time gives me 0 results

0 Karma

Esteemed Legend

Did you post my answer exactly? The key part is the earliest=0 latest=now. You must have that part.

0 Karma

Path Finder

Adding

earliest=0 latest=now
always returns all the events but that is not what I want. I want the date range filter to be applied against the json in the event (Message["timestamp"] in the sample event below):

11/05/2019 01:06:16 PM
LogName=CustomLog
SourceName=WindowsEventSource
EventCode=256
EventType=4
Type=Information
TaskCategory=Network Events
OpCode=None
RecordNumber=20445
Keywords=Classic
Message={
"country" : "Central African Republic",
"description" : "successfully completed.",
"deviceId" : "38",
"eventid" : "41",
"id" : "9999",
"logtype" : "Info",
"msgqnum" : "0",
"severity" : "High",
"source" : "mySource",
"system
state" : "S4/S5",
"timestamp" : "2011-02-19 15:22:23",
"timestamp_accuracy" : "Accurate"
}

0 Karma