https://community.splunk.com/t5/Splunk-Enterprise/Searches-are-not-using-earliest-and-latest-time-modifiers/m-p/741041#M21801 <P>Hello, and I have another weird issue:<BR />When I execute a search on a SHC in the Search and Reporting App, getting data from 2025-02-27<BR />index=test earliest=-7d@d latest=-6d@d<BR />I get zero events<BR />When I execute the search WITHOUT the earliest and latest time modifiers and use the Time Picker in the UI which results in "during Thu, Feb 27, 2025"<BR />I get around 167,153 results</P><P><SPAN>Specifying the time range with earliest and latest time modifiers is NOT giving me the "Your timerange was substituted based on your search string".<BR /></SPAN></P><P><SPAN>If I use tstats, I get the correct number of events, the correct date, and the message&nbsp;"Your timerange was substituted based on your search string" is present</SPAN></P><P><SPAN>| tstats count where index=test earliest=-7d@d latest=-6d@d by _time span=d<BR /><BR /></SPAN></P><P><SPAN>I also made index=test earliest=-7d@d latest=-6d@d a saved search which executes every 10 minutes - zero events.</SPAN></P><P><SPAN>Another bit of weirdness:<BR />If I run that search, and specify "All time", it will pull events ONLY for 2025-02-27. Nothing for other dates, and it has 12 months of events, populated for every day. So, it looks at both the time qualifiers and the time picker under that scenario.<BR /><BR />Any ideas what might be causing this? (I have several standalone searchheads that are working fine)</SPAN></P> Thu, 06 Mar 2025 18:39:32 GMT TheJagoff 2025-03-06T18:39:32Z https://community.splunk.com/t5/Splunk-Enterprise/Searches-are-not-using-earliest-and-latest-time-modifiers/m-p/741041#M21801 <P>Hello, and I have another weird issue:<BR />When I execute a search on a SHC in the Search and Reporting App, getting data from 2025-02-27<BR />index=test earliest=-7d@d latest=-6d@d<BR />I get zero events<BR />When I execute the search WITHOUT the earliest and latest time modifiers and use the Time Picker in the UI which results in "during Thu, Feb 27, 2025"<BR />I get around 167,153 results</P><P><SPAN>Specifying the time range with earliest and latest time modifiers is NOT giving me the "Your timerange was substituted based on your search string".<BR /></SPAN></P><P><SPAN>If I use tstats, I get the correct number of events, the correct date, and the message&nbsp;"Your timerange was substituted based on your search string" is present</SPAN></P><P><SPAN>| tstats count where index=test earliest=-7d@d latest=-6d@d by _time span=d<BR /><BR /></SPAN></P><P><SPAN>I also made index=test earliest=-7d@d latest=-6d@d a saved search which executes every 10 minutes - zero events.</SPAN></P><P><SPAN>Another bit of weirdness:<BR />If I run that search, and specify "All time", it will pull events ONLY for 2025-02-27. Nothing for other dates, and it has 12 months of events, populated for every day. So, it looks at both the time qualifiers and the time picker under that scenario.<BR /><BR />Any ideas what might be causing this? (I have several standalone searchheads that are working fine)</SPAN></P> Thu, 06 Mar 2025 18:39:32 GMT https://community.splunk.com/t5/Splunk-Enterprise/Searches-are-not-using-earliest-and-latest-time-modifiers/m-p/741041#M21801 TheJagoff 2025-03-06T18:39:32Z https://community.splunk.com/t5/Splunk-Enterprise/Searches-are-not-using-earliest-and-latest-time-modifiers/m-p/741045#M21802 <P>Found the issue:<BR />We built a standalone SH and copied the $SPLUNK_HOME/etc/apps directory from the SHC to it.&nbsp;<BR /><SPAN>Started removing apps on the test server, one at a time, and when we removed one of the Apps and restarted., the searches started to work again.<BR />One of our crew found the following in the app the was just removed:</SPAN><BR /><SPAN>[source::stream:Gigamon]</SPAN><BR /><SPAN>EVAL-_time = strptime('timestamp', "%Y-%m-%dT%H:%M:%S,%N")<BR /><BR /></SPAN><SPAN>This seems to be the issue. We went back to the SHC and specified a source without removing anything and it pulled data. Not really clear on why that would make a difference, but it does.<BR /><BR />The main takeaway from this is that a configuration change that had an effect on _time caused this issue.<BR /></SPAN></P> Thu, 06 Mar 2025 19:53:24 GMT https://community.splunk.com/t5/Splunk-Enterprise/Searches-are-not-using-earliest-and-latest-time-modifiers/m-p/741045#M21802 TheJagoff 2025-03-06T19:53:24Z