Re: Search for events in a specific time range

bhiley · ‎07-19-2011

I have data eg. as follows :-

rectype=031 OMD_StrtTime_002="Wed Jul 20 02:59:59 2011" OMD_Endtime_003="Wed Jul 20 03:59:57 2011" etc

Splunk correctly extracts the first datetime as the timestamp for the event (and I assume it identifies the second one as a timestamp ?)
I want to search for events where OMD_StrtTime_002 > 'some specified value' and OMD_Endtime_003 < 'some specified value' - what is the syntax for the query ?
Can't seem to find an example on Splunkbase that applies or write one that works.

bhiley · ‎07-19-2011

Great thanks I'll try it

dwaddle · ‎07-19-2011

Assuming that splunk is already extracting these values as fields (which it should be), the easiest thing to do is convert everything to time_t. These are simple integers, easily compared.

rectype=031
| eval OMD_Strt_t=strptime(OMD_StrtTime_002,"%A %B %d %H:%M:%S %Y")
| eval OMD_End_t=strptime(OMD_Endtime_003,"%A %B %d %H:%M:%S %Y")
| eval target_start=strptime("Wed Jul 20 01:00:00 2011","%A %B %d %H:%M:%S %Y")
| eval target_end=strptime("Wed Jul 20 05:00:00 2011","%A %B %d %H:%M:%S %Y")
| where OMD_Strt_t > target_start AND OMD_End_t < target_end

It's a bit of hoop jumping just to get everything into nice, easy, comparable time_t integers, but it is worth it from a personal sanity point of view.

The problem here is that Splunk parses a timestamp from the event and stores it into _time, and you can limit your timerange to a specific range of _time values using earliest= and latest=. But, it doesn't implicitly see any other timestamp in the event as anything other than a string. You have to do something to parse it into something that is comparable.

Search for events in a specific time range

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases