Solved: what is the format to use for a date in a search /...

mataharry · ‎11-29-2012

I tried to specify an exact date for a search time range, but couldn't make it work

relative and epoch date works : earliest=-5d@d or earliest=1352750400

but those fails
earliest="2012/11/12 20:00:00" or "2012-11-12 8:00:00 pm" or "12/11/2012 20:00:00.000"

yannK · ‎11-29-2012

the default time format is %m/%d/%Y:%H:%M:%S

example : from November 12th to 15th at 8pm

earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"
or in a dashboard

< earliestTime >12/11/2012:20:00:00< /earliestTime >

it is explained here in timeformat :
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/SearchTimeModifiers

View solution in original post

thellmann · ‎07-20-2021

Thread necromancy I know, but this answer still pops up on the first page of Google results.

If you are trying to set the earliest/latest time in SimpleXML, you need to use either a relative time or Unix epoch time - the date format as described in the original solution does not work afaik. This is documented here: https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/PanelreferenceforSimplifiedXML#search

If you are trying to set earliest/latest using SPL, I think yannk's answer is still correct and the reference on this page is correct: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Specifytimemodifiersinyoursearch#Spe...

mIliofotou_splu · ‎09-05-2016

As stated by others, the default timestamp format is "%m/%d/%Y:%H:%M:%S", but you can change that!

With the current Splunk 6.4 you specify a different formatter using this syntax:

... timeformat="%Y-%m-%d %H:%M:%S" latest="2016-9-22 12:56:11"

Latest documentation for search time modifiers can be found here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers

greathera · ‎07-09-2014

The stated default time format and the example given do not match up.
The default time format shown is month / day / year. But the example shows day/month/year.

The same error occurs in the example given in the docs located at http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/SearchTimeModifiers

"the default time format is %m/%d/%Y:%H:%M:%S
example : from November 12th to 15th at 8pm
earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"

yannK · ‎11-29-2012

the default time format is %m/%d/%Y:%H:%M:%S

example : from November 12th to 15th at 8pm

earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"
or in a dashboard

< earliestTime >12/11/2012:20:00:00< /earliestTime >

it is explained here in timeformat :
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/SearchTimeModifiers

daniel_augustyn · ‎04-19-2018

I downvoted this post because day/month is opposite

daniel_augustyn · ‎04-19-2018

Can Splunk start doing in their examples with a day that is something like 20th-30th so it won't be that much of the confusion here? I love examples with 11/12/2012 which could be either day/month or month/day.

rnotch · ‎12-01-2017

I downvoted this post because yes, since the example and explanation feature conflicting data, this response is impossible to tell which is correct.

aculveruwo · ‎07-09-2015

Yeah, please fix your response to clarify. You say the format is %m/%d/%Y.. (American format) but then you set earliest and latest to show the day first %d/%m/%Y.. (International format).

Rocky31 · ‎01-13-2016

What is if i need to change to 4 hours

kyleharrison · ‎08-01-2014

Took me a while to notice your example had the day and month the wrong way round, should be: earliest="11/12/2012:20:00:00" latest="11/12/2012:20:00:00"

Drainy · ‎11-29-2012

Yup, here is a list of all time modifiers;

http://docs.splunk.com/Documentation/Splunk/4.2.3/SearchReference/SearchTimeModifiers

what is the format to use for a date in a search / dashboard

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application