I'm trying to use earliest and latest in the REST API in Splunk 4.3.1, but it seems like it is being ignored. Here is my curl command:
curl -k -u user:password \ https://splunkweb:8089/services/search/jobs/export \ -d search="search index%3Dunix_logs |head 10 |eval event_time%3Dstrftime(_time,%22%25F %25T%22) |table event_time,sourcetype,user" \ -d earliest=-2d \ -d latest=-2d+10m \ -d output_mode=csv
The output starts something like this:
"event_time",sourcetype,user "2013-06-06 10:50:20",sshd, "2013-06-06 10:05:25",sshd, "2013-06-06 10:05:25",sshd,tes "2013-06-06 10:05:25",sshd,root "2013-06-06 10:05:25",sshd, ...
This is tomorrow's date rather than 2 days ago.
As a bonus, can I specify an absolute time like "6/5/2013:10:00:00"