https://community.splunk.com/t5/Splunk-Search/What-time-does-d-snap-to-Does-it-change/m-p/519925#M146410 <P>I am searching IIS logs, trying to calculate the number of GB transferred each day for the last 7 days.&nbsp; Here is my search:</P><P>index=iis sourcetype=iis cs_user_agent="JTDI*" earliest=-7d@d<BR />| stats sum(cs_bytes) as UPLOADS, sum(sc_bytes) as DOWNLOADS by date_mday<BR />| eval UPLOADS=round(UPLOADS/1024/1024/1024,2)<BR />| eval DOWNLOADS=round(DOWNLOADS/1024/1024/1024,2)<BR />| rename date_mday as "Day of the Month"| sort -"Day of the Month"</P><P>The problem I am having is that I get a different result for the 7th day if I use <A href="mailto:-7d@d" target="_blank" rel="noopener">-7d@d</A>&nbsp;vs <A href="mailto:-8d@d" target="_blank" rel="noopener">-8d@d</A>.&nbsp; In both cases, every day should be the total for that day since midnight.&nbsp; So when I search over 8 days, why does my 7th day have more data?</P> Wed, 16 Sep 2020 13:38:01 GMT DaClyde 2020-09-16T13:38:01Z https://community.splunk.com/t5/Splunk-Search/What-time-does-d-snap-to-Does-it-change/m-p/519925#M146410 <P>I am searching IIS logs, trying to calculate the number of GB transferred each day for the last 7 days.&nbsp; Here is my search:</P><P>index=iis sourcetype=iis cs_user_agent="JTDI*" earliest=-7d@d<BR />| stats sum(cs_bytes) as UPLOADS, sum(sc_bytes) as DOWNLOADS by date_mday<BR />| eval UPLOADS=round(UPLOADS/1024/1024/1024,2)<BR />| eval DOWNLOADS=round(DOWNLOADS/1024/1024/1024,2)<BR />| rename date_mday as "Day of the Month"| sort -"Day of the Month"</P><P>The problem I am having is that I get a different result for the 7th day if I use <A href="mailto:-7d@d" target="_blank" rel="noopener">-7d@d</A>&nbsp;vs <A href="mailto:-8d@d" target="_blank" rel="noopener">-8d@d</A>.&nbsp; In both cases, every day should be the total for that day since midnight.&nbsp; So when I search over 8 days, why does my 7th day have more data?</P> Wed, 16 Sep 2020 13:38:01 GMT https://community.splunk.com/t5/Splunk-Search/What-time-does-d-snap-to-Does-it-change/m-p/519925#M146410 DaClyde 2020-09-16T13:38:01Z https://community.splunk.com/t5/Splunk-Search/What-time-does-d-snap-to-Does-it-change/m-p/519937#M146412 <P>Tthe easiest way to see how time modifiers are used to for earliest and latest time is just run a search with non-existing index like below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="time-modifier.png" style="width: 625px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10863i935D3595F857BF88/image-size/large?v=v2&amp;px=999" role="button" title="time-modifier.png" alt="time-modifier.png" /></span></P><P>I tried your query with internal logs and I don't see a problem. 9th - 16th are common for both queries with <A href="mailto:-7d@d" target="_blank">-7d@d</A>&nbsp;and <A href="mailto:-8d@d" target="_blank">-8d@d time modifiers.</A></P><P>I see slight difference on 16th that could be because of new events might have come while main search is running.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="compare_8_7_days.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10864i714E93B4EC820A05/image-size/large?v=v2&amp;px=999" role="button" title="compare_8_7_days.png" alt="compare_8_7_days.png" /></span></P> Wed, 16 Sep 2020 14:08:22 GMT https://community.splunk.com/t5/Splunk-Search/What-time-does-d-snap-to-Does-it-change/m-p/519937#M146412 thambisetty 2020-09-16T14:08:22Z https://community.splunk.com/t5/Splunk-Search/What-time-does-d-snap-to-Does-it-change/m-p/519946#M146414 <P>Yes, the 16th makes sense because of on-going operations, but my problem has been with the value for the 9th.&nbsp; I will try it with some other indexes and see if I still have the same problem.</P> Wed, 16 Sep 2020 14:55:02 GMT https://community.splunk.com/t5/Splunk-Search/What-time-does-d-snap-to-Does-it-change/m-p/519946#M146414 DaClyde 2020-09-16T14:55:02Z