Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Invalid value X for time term 'earliest', but only for specific dates

LS2022
Explorer
‎12-21-2022 03:45 AM

Hello Splunk Community,

I'm running a script using the splunk CLI to retrieve the required information. The script has previously been run multiple times without issue.
I am now receiving the following error, but only for specific dates.
FATAL: Invalid value "14/10/2022:2:0:00" for time term 'earliest'

I can reproduce the problem in the graphical interface but if I change the date to '12/10/2022' the query is successful. Likewise, seaching for all logs for the date through the GUI returns the logs for the day. The script has already turned over the first 12 days of the month without error so the syntax is good, and the logs are indexed.

Anyone have any ideas why I am receiving this error only for specific dates within the month?

PS:
Can also reproduce in a different month with the same dates. 12 returns results, 13 returns an error.

Kind regards,

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-21-2022 03:59 AM

Hi @LS2022,

you have a wrong time format in your data or in your script: you're using european format (dd/mm/yyyy) instead Splunk, by default uses the american format (mm/dd/yyyy)

so if the date is 12/10/2022 it reads 10th of december 2022, but 14/10/2022 isn't acceptable because months are 12.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-21-2022 03:59 AM

Hi @LS2022,

you have a wrong time format in your data or in your script: you're using european format (dd/mm/yyyy) instead Splunk, by default uses the american format (mm/dd/yyyy)

so if the date is 12/10/2022 it reads 10th of december 2022, but 14/10/2022 isn't acceptable because months are 12.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

LS2022
Explorer
‎12-21-2022 04:02 AM

Hello,

Thanks for your reply.

Is this a recent change?

As mentioned, the script previously ran fine. To clarify I am running the script for October and have previously done so without issue, with the range of dates being provided as 01/10/2022 to 30/10/2022.

Kind regards,

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-21-2022 05:23 AM

Hi @LS2022,

no it always was in this way: it's a standard approach in american products, maybe it's changed something in your time definition.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

LS2022
Explorer
‎12-21-2022 04:19 AM

Am thinking that as the scdript was run out of hours it processed for the valid dates.
Which would mean we are missing half of every month in previous results.

Gah!

Will go fiddle with the date format and double check the results. Thank for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...