I'm using Java SDK to query splunk. I'm getting proper results when I don't give time range to the search query. But when I specify time range I find that the results that are returned doesn't match the time that I give. It always returns the newest results irrespective of the date range that I specify.
Args outputArgs = new Args();
outputArgs.put("output_mode", outputMode);
outputArgs.put("earliest_time", "2013-07-29T12:00:00.000");
outputArgs.put("latest_time", "2013-07-30T12:00:00.000");
I tried with relative time and also with the time format - %m/%d/%Y:%H:%M:%S (for this i receive a invalid earliest_time exception).Can you please let me know if the time format that I have specified is not proper. Or do I need to have some additional code to specify time range.
Thanks in advance.
I also need answer for this question, product team, please suggest
I am facing the same problem. How did you fix it? Can you please help us.
Can you share your query.
I want to run from 08/23/2015 00:00:00 to 09/22/2015 23:59:59
It could be that you need to specify timezone offset in the time string. Below is an example:
2013-08-15T20:16:18.208-07:00
"-07:00" is the offset of US Pacific time with Daylight Saving to UTC.
To get an example of time format from your Splunk system, take a look on the value of _time field of an event. The above time string is from a _time field from my system.
You can also specify a relative time, such as "-3d" (day) and "-3h" (hour).
You probably should use -7:00 offset. It is UC Pacific Daylight Saving time (I have modified my earlier comment to avoid confusion). That is what your _time attribute has. If it does not work, try the following to isolate the problem.
You can set the earliest_time to be the same as the value of the event _time field, and latest_time to be a millisecond larger (Splunk requires latest_time to be larger than earliest_time).
Thanks for the reply. Its still the same even after giving -08:00 offset. I'm getting only the latest generated log data. And for the _time attribute I'm also getting -07:00 offset.
_time --> 2013-08-15T18:34:06.254-07:00
Will I be missing anyother thing because of which the data is not getting filtered properly based on time.