Splunk Search

what is the format to use for a date in a search / dashboard

mataharry
Communicator

I tried to specify an exact date for a search time range, but couldn't make it work

relative and epoch date works : earliest=-5d@d or earliest=1352750400

but those fails
earliest="2012/11/12 20:00:00" or "2012-11-12 8:00:00 pm" or "12/11/2012 20:00:00.000"

Tags (2)
1 Solution

yannK
Splunk Employee
Splunk Employee

the default time format is %m/%d/%Y:%H:%M:%S

example : from November 12th to 15th at 8pm

earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"
or in a dashboard

< earliestTime >12/11/2012:20:00:00< /earliestTime >

it is explained here in timeformat :
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/SearchTimeModifiers

View solution in original post

thellmann
Splunk Employee
Splunk Employee

Thread necromancy I know, but this answer still pops up on the first page of Google results. 

If you are trying to set the earliest/latest time in SimpleXML, you need to use either a relative time or Unix epoch time - the date format as described in the original solution does not work afaik. This is documented here: https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/PanelreferenceforSimplifiedXML#search

If you are trying to set earliest/latest using SPL, I think yannk's answer is still correct and the reference on this page is correct: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Specifytimemodifiersinyoursearch#Spe...

0 Karma

mIliofotou_splu
Splunk Employee
Splunk Employee

As stated by others, the default timestamp format is "%m/%d/%Y:%H:%M:%S", but you can change that!

With the current Splunk 6.4 you specify a different formatter using this syntax:

... timeformat="%Y-%m-%d %H:%M:%S" latest="2016-9-22 12:56:11"

Latest documentation for search time modifiers can be found here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers

0 Karma

greathera
Explorer

The stated default time format and the example given do not match up.
The default time format shown is month / day / year. But the example shows day/month/year.

The same error occurs in the example given in the docs located at http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/SearchTimeModifiers

"the default time format is %m/%d/%Y:%H:%M:%S
example : from November 12th to 15th at 8pm
earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"

yannK
Splunk Employee
Splunk Employee

the default time format is %m/%d/%Y:%H:%M:%S

example : from November 12th to 15th at 8pm

earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"
or in a dashboard

< earliestTime >12/11/2012:20:00:00< /earliestTime >

it is explained here in timeformat :
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/SearchTimeModifiers

daniel_augustyn
Contributor

I downvoted this post because day/month is opposite

0 Karma

daniel_augustyn
Contributor

Can Splunk start doing in their examples with a day that is something like 20th-30th so it won't be that much of the confusion here? I love examples with 11/12/2012 which could be either day/month or month/day.

0 Karma

rnotch
Explorer

I downvoted this post because yes, since the example and explanation feature conflicting data, this response is impossible to tell which is correct.

0 Karma

aculveruwo
Explorer

Yeah, please fix your response to clarify. You say the format is %m/%d/%Y.. (American format) but then you set earliest and latest to show the day first %d/%m/%Y.. (International format).

Rocky31
Path Finder

What is if i need to change to 4 hours

0 Karma

kyleharrison
Path Finder

Took me a while to notice your example had the day and month the wrong way round, should be: earliest="11/12/2012:20:00:00" latest="11/12/2012:20:00:00"

Drainy
Champion
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...