Hi,

Have you looked at the strptime function for eval? This will let you create a new field in which you convert your Date string to epoch. I don't believe you can perform operations like greater-than or less-than directly on strings like your Date.

... | eval blah = strptime(Date, "%d/%m/%Y %H:%M:%S")

Unfortunately this requires you to specify your time constraints in epoch which is not as easy as one would like. However, you can do the same trick again in the search, so that it reads;

...| eval mylimit=strptime("24 Jun 2012 23:52:55","%d %b %Y %H:%M:%S")
| eval blah = strptime(Date, "%d/%m/%Y %H:%M:%S")
| where blah < mylimit

As you can see there are different date patterns used, and you can use whichever you like AS LONG AS the strptime pattern matches the string. The format of the date string is already set in the event, so the pattern for that is set, but the date string used for mylimit is determined by you, so you can use any format you like, just make sure that the pattern (i.e. "%Y %m %d" etc etc) matches.

If you don't want to complicate things, use the same for both Date and mylimit, and write your mylimit string accordingly.

For more information see;

http://strftime.org/

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/CommonEvalFunctions

UPDATE:

The string and pattern within the strptime function must match in order for this to make sense:

string           pattern
22Apr2004        %d%b%Y
2001-11-14       %Y-%m-%d
Dec 24, 1988     %b %d, %Y

If you do not specify a time part of the string and pattern, the start of the day will be used (00:00:00), so your search from the 26th to the 30th would not include any events from the 30th.

Also, I'm not sure that you should use earliest and latest, since they are reserved words in splunk, and will act as constraints on _time.

Hope this helps,

/Kristian