I tried to specify an exact date for a search time range, but couldn't make it work
relative and epoch date works : earliest=-5d@d or earliest=1352750400
but those fails
earliest="2012/11/12 20:00:00" or "2012-11-12 8:00:00 pm" or "12/11/2012 20:00:00.000"
the default time format is %m/%d/%Y:%H:%M:%S
example : from November 12th to 15th at 8pm
earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"
or in a dashboard
< earliestTime >12/11/2012:20:00:00< /earliestTime >
it is explained here in timeformat :
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/SearchTimeModifiers
Thread necromancy I know, but this answer still pops up on the first page of Google results.
If you are trying to set the earliest/latest time in SimpleXML, you need to use either a relative time or Unix epoch time - the date format as described in the original solution does not work afaik. This is documented here: https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/PanelreferenceforSimplifiedXML#search
If you are trying to set earliest/latest using SPL, I think yannk's answer is still correct and the reference on this page is correct: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Specifytimemodifiersinyoursearch#Spe...
As stated by others, the default timestamp format is "%m/%d/%Y:%H:%M:%S", but you can change that!
With the current Splunk 6.4 you specify a different formatter using this syntax:
... timeformat="%Y-%m-%d %H:%M:%S" latest="2016-9-22 12:56:11"
Latest documentation for search time modifiers can be found here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers
The stated default time format and the example given do not match up.
The default time format shown is month / day / year. But the example shows day/month/year.
The same error occurs in the example given in the docs located at http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/SearchTimeModifiers
"the default time format is %m/%d/%Y:%H:%M:%S
example : from November 12th to 15th at 8pm
earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"
the default time format is %m/%d/%Y:%H:%M:%S
example : from November 12th to 15th at 8pm
earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"
or in a dashboard
< earliestTime >12/11/2012:20:00:00< /earliestTime >
it is explained here in timeformat :
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/SearchTimeModifiers
I downvoted this post because day/month is opposite
Can Splunk start doing in their examples with a day that is something like 20th-30th so it won't be that much of the confusion here? I love examples with 11/12/2012 which could be either day/month or month/day.
I downvoted this post because yes, since the example and explanation feature conflicting data, this response is impossible to tell which is correct.
Yeah, please fix your response to clarify. You say the format is %m/%d/%Y.. (American format) but then you set earliest and latest to show the day first %d/%m/%Y.. (International format).
What is if i need to change to 4 hours
Took me a while to notice your example had the day and month the wrong way round, should be: earliest="11/12/2012:20:00:00" latest="11/12/2012:20:00:00"
Yup, here is a list of all time modifiers;
http://docs.splunk.com/Documentation/Splunk/4.2.3/SearchReference/SearchTimeModifiers