topic Setting up earliest and latest time with relative date and fixed time in Splunk Search

Setting up earliest and latest time with relative date and fixed time

AruBhende — Fri, 19 Mar 2021 17:29:13 GMT

I am trying to define a query where I have to use the earliest time as 2 days ago at 22:20:45 and latest time 1 day ago at 22:20:45

I tried different formats below

earliest=-2d@:22h:20m:45s

latest=-1d@d+20h+30m+45s

But - I am not sure if these are correct and also how can I check if this translates to the date and time I am trying to set.

Thank you

richgalloway — Sat, 20 Mar 2021 12:31:27 GMT

I've used similar formats before - only with a single add-on (-1@d+8h, for example) - but I think it should work.

Fix the earliest to -2d@d+22h+20m+45s

To verify you're getting the right start and end times, add the addinfo command to your query and display the info_min_time and info_max_time fields.