From the CLI, how do I run a simple search through...

seanlon11 · ‎06-04-2010

I looked at the documentation here: http://www.splunk.com/base/Documentation/4.1.1/SearchReference/CLIsearchsyntax

And it states to use either the "latest_time" or the "earliest_time" for time, and for either of these I can use the Relative Time Modifiers found here: http://www.splunk.com/base/Documentation/4.1.1/User/ChangeTheTimeRangeOfYourSearch

The "earliest_time" appears to start from the current time and go backwards, so I'm using it.

I have run the following for the earliest_time:

./splunk search 'host="was01" earliest_time=-15m@s'

The results retrieved are NOT within the last 15 minutes (ran query @ 15:38):

[6/4/10 15:38:31:623 CDT]

...

[6/4/10 15:37:36:051 CDT]

Any ideas on why it is only going back about 1 minute instead of 15 minutes like my query is intended to?

What am I doing wrong?

Thanks, Sean

seanlon11 · ‎06-04-2010

Got it

./splunk search 'host="was01" earliest_time=-15m@s' -maxout 0

notice the "maxout 0" appended to the end, and notice that it is outside of the ending single quote

seanlon11 · ‎06-04-2010

I'm beginning to think it has something to do with the default number of results being set to 100

Stephen_Sorkin · ‎06-04-2010

Should be earliest=-15m, not earliest_time=... if you are using within the search string. It is earliest_time from the API, which would be a separate CLI argument.

From the CLI, how do I run a simple search through the last 15 minutes of data?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life