Splunk search epoch error (Search Timeframe)

jerusalem_strangely · July 12, 2022, 11:02am

I’m trying to run a splunk search in my workflow and wish to specify the time range of the search. I tried doing this in the query itself but I get no result. i.e
search earliest=-30d latest=now index=[insert whatever]

My next time step was to use the search timeframe. So I wrote a python script to parse out current time and last 30days. The script works perfectly fine.
When input it as [earliesttime]-[currenttime] → 1655031326-1657623326 in the search timeframe
no error but also no result.

If i dont specify the time range anywhere (query and search timeframe) I get the expected result.

So what am I doing wrong here? am I separating the time wrong? if it’s not ‘-’ then what is it?

brandon_mcclure · July 13, 2022, 1:23pm

I use this syntax all the time and it works for me. I even have earliest and latest defined by the Datetime Plugin with the Epoch from Date action.
search index=<Index> sourcetype=<Sourcetype> earliest=-30d@d latest=now

jerusalem_strangely · July 14, 2022, 11:53am

unfortunately it does not works still.

I found a workaround where if I set the earliest time in the search timeframe and include latest=now in the search query
i.e search index= sourcetype= latest=now
Search timeframe:
{{[“SplunkDate”].[pastdate]}}

seems to produce a result. though I will need to do few tests to see if the time range is matching up