Splunk Search

what is the format to use for a date in a search / dashboard

mataharry
Communicator

I tried to specify an exact date for a search time range, but couldn't make it work

relative and epoch date works : earliest=-5d@d or earliest=1352750400

but those fails
earliest="2012/11/12 20:00:00" or "2012-11-12 8:00:00 pm" or "12/11/2012 20:00:00.000"

Tags (2)
1 Solution

yannK
Splunk Employee
Splunk Employee

the default time format is %m/%d/%Y:%H:%M:%S

example : from November 12th to 15th at 8pm

earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"
or in a dashboard

< earliestTime >12/11/2012:20:00:00< /earliestTime >

it is explained here in timeformat :
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/SearchTimeModifiers

View solution in original post

thellmann
Splunk Employee
Splunk Employee

Thread necromancy I know, but this answer still pops up on the first page of Google results. 

If you are trying to set the earliest/latest time in SimpleXML, you need to use either a relative time or Unix epoch time - the date format as described in the original solution does not work afaik. This is documented here: https://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/PanelreferenceforSimplifiedXML#search

If you are trying to set earliest/latest using SPL, I think yannk's answer is still correct and the reference on this page is correct: https://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Specifytimemodifiersinyoursearch#Spe...

0 Karma

mIliofotou_splu
Splunk Employee
Splunk Employee

As stated by others, the default timestamp format is "%m/%d/%Y:%H:%M:%S", but you can change that!

With the current Splunk 6.4 you specify a different formatter using this syntax:

... timeformat="%Y-%m-%d %H:%M:%S" latest="2016-9-22 12:56:11"

Latest documentation for search time modifiers can be found here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers

0 Karma

greathera
Explorer

The stated default time format and the example given do not match up.
The default time format shown is month / day / year. But the example shows day/month/year.

The same error occurs in the example given in the docs located at http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/SearchTimeModifiers

"the default time format is %m/%d/%Y:%H:%M:%S
example : from November 12th to 15th at 8pm
earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"

yannK
Splunk Employee
Splunk Employee

the default time format is %m/%d/%Y:%H:%M:%S

example : from November 12th to 15th at 8pm

earliest="12/11/2012:20:00:00" latest="15/11/2012:20:00:00"
or in a dashboard

< earliestTime >12/11/2012:20:00:00< /earliestTime >

it is explained here in timeformat :
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/SearchTimeModifiers

daniel_augustyn
Contributor

I downvoted this post because day/month is opposite

0 Karma

daniel_augustyn
Contributor

Can Splunk start doing in their examples with a day that is something like 20th-30th so it won't be that much of the confusion here? I love examples with 11/12/2012 which could be either day/month or month/day.

0 Karma

rnotch
Explorer

I downvoted this post because yes, since the example and explanation feature conflicting data, this response is impossible to tell which is correct.

0 Karma

aculveruwo
Explorer

Yeah, please fix your response to clarify. You say the format is %m/%d/%Y.. (American format) but then you set earliest and latest to show the day first %d/%m/%Y.. (International format).

Rocky31
Path Finder

What is if i need to change to 4 hours

0 Karma

kyleharrison
Path Finder

Took me a while to notice your example had the day and month the wrong way round, should be: earliest="11/12/2012:20:00:00" latest="11/12/2012:20:00:00"

Drainy
Champion
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...