I have to fetch results for an event happened on Sep. 1 and Sep. 6.
How do I specify two dates in single query?
Hey @chetanhonnavile, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂
Probably the best method is to use eval and strptime / strftime to make the time field you need. Then search against that.
Method:
Example:
index=ABC "error"
| eval date=strftime(_time, "%Y-%m-%d")
| search date="2017-09-01" OR date="2017-09-06"
Here are some pretty good links to help you out if you ever want to research / play. Also, you may want to use this against a time in your log rather than the default _time field.
http://www.foragoodstrftime.com/
https://answers.splunk.com/answers/56072/time-format-conversion-using-strptime.html
try this below query. Just to show the results used head 1.
index=_internal earliest=1504238400 latest=1504324799 | head 1 | append [search index=_internal earliest=1504670400 latest=1504756799 | head 1]
Hi chetanhonnavile,
you can use multiple time modifiers in your search, just try this:
your search here earliest="09/1/2017:00:00:00" latest="09/1/2017:23:59:59" OR earliest="09/6/2017:00:00:00" latest="09/6/2017:23:59:59"
This will return the events from your base search on the 1. September or the 6. September. You can read more about the time modifiers here http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers
Hope this helps ...
cheers, MuS
Does this produce a window of time? I think the user wants to see either X OR Y for date.
Just try it and you will see that it just gets events from either the 1. September OR the 6. September in the most efficient way 😉
cheers, MuS