topic Re: earliest/latest returning zero results in Splunk Search

earliest/latest returning zero results

DEAD_BEEF — Wed, 02 Aug 2017 17:47:07 GMT

I apologize as I feel I am missing something very basic, but for the life of me I cannot get this query to work. I have a simple query and it is returning zero results. If I remove the earliest/latest, I get tons of results.

What syntactical mistake am I making? I have the time picker set to 1 hour, but my understanding is that when using earliest/latest, they override the time picker.

index=firewall earliest=-24@h latest=-12@h

Re: earliest/latest returning zero results

sbbadri — Wed, 02 Aug 2017 17:49:36 GMT

try this

index=firewall earliest=-24h@h latest=-12h@h

please go through below link,

http://docs.splunk.com/Documentation/Splunk/6.6.2/Search/Specifytimemodifiersinyoursearch

Re: earliest/latest returning zero results

DalJeanis — Wed, 02 Aug 2017 17:52:01 GMT

I believe you are correct, and the explanation is that -24 means "subtract 24 seconds".

Re: earliest/latest returning zero results

DEAD_BEEF — Wed, 02 Aug 2017 17:58:28 GMT

Ahhh... I completely overlooked that extra character. I read the documentation but was clearly scanning the syntax too fast. Thank you!