Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to add static date to time.conf

toekneeh
Engager
‎02-12-2013 10:22 AM

I have tried to modify my time.conf to have a static set of dates I can select. I added the following to my time.conf file:
[demo_last_7]
label = Demo Last 7 Days
header_label = in the last 7 days
earliest_time = "02/04/2013:00:00:00"
latest_time = "02/11/2013:09:00:00"
order = 200

I have tried this with/without quotes. I tried with a space between date and time. I also tried adding .0000 after the time. Nothing works, I always get "invalid earliest_time" in the ui. Any suggestions on how I can select a static date range from the dropdown in the app?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-12-2013 11:39 AM

I believe that you can specify absolute timeranges in times.conf, but you have to specify them as epochtime values.

To convert your two times to epochtime I'd need to know your timezone, however for the sake of giving an answer, if your timezone was GMT, I believe your config for those two times would look like: 

[demo_last_7]
label = Demo Last 7 Days
header_label = in the last 7 days
earliest_time = 1359936000
latest_time = 1360573200
order = 200

A number of online converters are available that can take dates to epochtime integers and vice versa.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-12-2013 11:39 AM

I believe that you can specify absolute timeranges in times.conf, but you have to specify them as epochtime values.

To convert your two times to epochtime I'd need to know your timezone, however for the sake of giving an answer, if your timezone was GMT, I believe your config for those two times would look like: 

[demo_last_7]
label = Demo Last 7 Days
header_label = in the last 7 days
earliest_time = 1359936000
latest_time = 1360573200
order = 200

A number of online converters are available that can take dates to epochtime integers and vice versa.

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎02-12-2013 11:57 AM

Well I think it's trying to talk about two different things. in times.conf you're specifying time arguments for the search API, in the way that they're supposed to be sent. When you type earliest="" and latest="" into the actual search, that's kind-of legacy functionality. And in the search string there's a default timeformat that it can use to translate the time to epochtime, but in times.conf there's no timeformat anywhere for it to pick up on.

Reply
Solved! Jump to solution

toekneeh
Engager
‎02-12-2013 11:55 AM

Thank you, that works. Looks like the documentation is incorrect. I got the date time format from the following help page:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers

That should probably be updated

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...