Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I pass a specific time to a search run with the Python SDK?

anshanno
Path Finder
‎01-21-2017 01:17 PM

I have read the time modifier documentation here: https://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/SearchReference/SearchTimeModifiers#_time...

kwargs_export = {"earliest_time": "10/5/2016:20:00:00",
                 "latest_time": "now",
                 "search_mode": "normal"}

This is what I am passing for my search. I copy and pasted the date format exactly as it is in the documentation and I am getting the below error.

splunklib.binding.HTTPError: HTTP 400 Bad Request -- Invalid earliest_time.

Am I missing something? Any help is greatly appreciated! Thanks!

EDIT:

For those in the future looking for the answer, example below will work as expected.

kwargs_export = {"earliest_time": "2017-01-24T07:20:38.000-05:00",
                 "latest_time": "now",
                 "search_mode": "normal"}
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎01-21-2017 03:03 PM

To my knowledge there isn't an earliest_time or latest_time. Instead I believe you should be using earliest and latest without _time appended.

View solution in original post

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎01-21-2017 03:03 PM

To my knowledge there isn't an earliest_time or latest_time. Instead I believe you should be using earliest and latest without _time appended.

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎01-23-2017 01:40 PM

Does earliest=now() work?

0 Karma
Reply
Solved! Jump to solution

anshanno
Path Finder
‎01-24-2017 05:53 AM

Apparently with the python SDK you need to specify the time in UTC format. That was my issue. Thanks for the help!

0 Karma
Reply
Solved! Jump to solution

anshanno
Path Finder
‎01-23-2017 05:15 AM

Ah. Fantastic, thanks. That was the error preventing it from running...Any idea why it doesn't stop at the specified latest value, "now"?.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎01-23-2017 07:12 AM

When I want "now" in splunk i typically use "now()". Have you tried that?

0 Karma
Reply
Solved! Jump to solution

anshanno
Path Finder
‎01-23-2017 08:27 AM

Whoops, I meant specified earliest value. It doesn't stop returning log files when the search reaches the specified earliest value. That was my mistake.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...