Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to add static date to time.conf

toekneeh
Engager
‎02-12-2013 10:22 AM

I have tried to modify my time.conf to have a static set of dates I can select. I added the following to my time.conf file:
[demo_last_7]
label = Demo Last 7 Days
header_label = in the last 7 days
earliest_time = "02/04/2013:00:00:00"
latest_time = "02/11/2013:09:00:00"
order = 200

I have tried this with/without quotes. I tried with a space between date and time. I also tried adding .0000 after the time. Nothing works, I always get "invalid earliest_time" in the ui. Any suggestions on how I can select a static date range from the dropdown in the app?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-12-2013 11:39 AM

I believe that you can specify absolute timeranges in times.conf, but you have to specify them as epochtime values.

To convert your two times to epochtime I'd need to know your timezone, however for the sake of giving an answer, if your timezone was GMT, I believe your config for those two times would look like: 

[demo_last_7]
label = Demo Last 7 Days
header_label = in the last 7 days
earliest_time = 1359936000
latest_time = 1360573200
order = 200

A number of online converters are available that can take dates to epochtime integers and vice versa.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-12-2013 11:39 AM

I believe that you can specify absolute timeranges in times.conf, but you have to specify them as epochtime values.

To convert your two times to epochtime I'd need to know your timezone, however for the sake of giving an answer, if your timezone was GMT, I believe your config for those two times would look like: 

[demo_last_7]
label = Demo Last 7 Days
header_label = in the last 7 days
earliest_time = 1359936000
latest_time = 1360573200
order = 200

A number of online converters are available that can take dates to epochtime integers and vice versa.

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎02-12-2013 11:57 AM

Well I think it's trying to talk about two different things. in times.conf you're specifying time arguments for the search API, in the way that they're supposed to be sent. When you type earliest="" and latest="" into the actual search, that's kind-of legacy functionality. And in the search string there's a default timeformat that it can use to translate the time to epochtime, but in times.conf there's no timeformat anywhere for it to pick up on.

Reply
Solved! Jump to solution

toekneeh
Engager
‎02-12-2013 11:55 AM

Thank you, that works. Looks like the documentation is incorrect. I got the date time format from the following help page:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers

That should probably be updated

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...