Hi,
the request below returns data from today while I specifically set it to return data from 27th of May to the 29th:
curl -k -u user:pass https://localhost:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search * | head 3" -d output_mode=json -d earliest="05/27/2013:0:0:0" -d latest="05/29/2013:0:0:0"
For example the first record returned is:
{"preview":false,"offset":0,"result":{"_bkt":"main~8~642E60C4-F8A3-448A-89E0-95E274AD3C3F","_cd":"8:54469","_indextime":"1370003005","_raw":"May 31 13:23:23 etc...","_serial":"0","_si":["localhost","main"],"_sourcetype":"syslog","_time":"2013-05-31 13:23:23.000 BST","host":"localhost","index":"main","linecount":"1","source":"/var/log/system.log","sourcetype":"syslog","splunk_server":"localhost"}}
Time is: 2013-05-31 13:23:23.000 which is obviously outside the range I specified. I'm probably missing something obvious... what am I doing wrong ?
EDIT:
I'm trying now with a simple python script, again, I can't seem to return the results in the date range I specify. I tried various different ranges (rt-3d, rt-5d, full date, etc...) but nothing works.
request = urllib2.Request("https://localhost:8089/servicesNS/admin/search/search/jobs/export"
data = urllib.urlencode({'search': 'search memorystatus | head 3',\
'output_mode': 'json',\
'latest':"1369522800",\
'earliest':"1369436400"}),
headers = { 'Authorization': ('Splunk %s' %session_key)})
search_results = urllib2.urlopen(request)
print "Full url is: " + request.get_full_url()
print "Data is: " + request.get_data()
print search_results.read()
The url and data (query) printed in output are:
Full url is: https://localhost:8089/servicesNS/admin/search/search/jobs/export
Data is: search=search+memorystatus+%7C+head+3&earliest=1369436400&output_mode=json&latest=1369522800
I'm new to Splunk and I can't really figure out what's wrong, this is driving me crazy...
Thanks.
... View more