Splunk: search with starttime and endtime with format "%Y%m%d %H:%M:%S"

Question

I'm new to Splunk and I want to do a search that specifies the start and end time.

I am using curl to automate the process and calling it from a bash script.

I have the starttime and endtime values I want but they do not have the %d/%m/%Y:%H%M%S" format and converting my "%Y%m%d H:%M%S" in bash will be ugly.

Is there a way to use timeformat to make my life easier?

My curl command is made up like this:

curl -u "$user:$pass" -k https://$splunkserver/services/search/jobs/export      \
                -d search='search "'"$search"'" | search starttime="'"$STARTTIME"'" | search endtime="'$ENDTIME"'" | search index=$index sourcetype=$sourcetype'

If I use these values, it works:

STARTTIME=01/20/2022:23:59:00
ENDTIME=01/21/2022:01:00:00

But fails when use the values I have:

STARTTIME="20220120 23:59:00"
ENDTIME="20220121 01:00:00"

Feel free to suggest other improvements to my Splunk code.

Answer 1

You have to convert your human-readable timestamp to Unix epoch time - since _time is always in Unix epoch time

Check out strftime.org for the exact calls

Then you can send this in your curl call:

curl -u "$user:$pass" -k https://$splunkserver/services/search/jobs/export -d search='search "'"$search"'" | search index=$index sourcetype=$sourcetype' earliest=$STARTTIME latest=$ENDTIME'