Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a search for a specific timestamp?

Mubarish
Path Finder
‎08-19-2014 06:18 AM

Hi,
I have my search query which returns a table. In the table, Timestamp is one of my field. Format of the Timestamp field is YYYY/MM/DD HH:MM:SS (i.e) Date(Space)Time
For example
2014/07/10 03:17:44
2014/07/10 03:17:14 etc.
I want to search Timestamp suppose
for example basequery... | search Timestamp = 2014/07/10 03:17:44 , the record with that particular date&time has to display. Since there is a space between date and time, my search shows no result found. How can I search for a specific timestamp?

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎08-19-2014 10:20 AM

Your logs in Splunk should have _time field in epoch format. You can convert your token value to epoch and compare against _time value.

your base search _time=[|gentimes start=-1 | eval search=strptime("YourDateValue","%Y/%m/%d %H:%M:%S" | table search]

0 Karma
Reply

MuS
Legend
‎08-19-2014 06:26 AM

Hi Mubarish,

simply use double quotes around the value like in this run everywhere search command (you must be able to search index=_internal) :

 index=_internal "[19/Aug/2014:15* +0200]"

This will show all event from today (as it is the 19th of August 2014) 3pm

hope this helps ...

cheers, MuS

Reply

pradeepkumarg
Influencer
‎08-19-2014 06:24 AM

Did you try this?

basequery| search Timestamp = "2014/07/10 03:17:44"

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...