https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221730#M188172 <P>Hi,<BR /> I have the following simple search.<BR /> sourcetype=ib:reserved1 source=ib:user:user_login index=ib_security earliest=-1w</P> <P>When i run this search i do not get results. But when i remove the earliest command, I get the results. <BR /> All the results have todays date as time. So it should return result when I put earliest as 1 week back.</P> <P>Why is earliest not working</P> <P>Thanks</P> Tue, 29 Sep 2020 07:50:07 GMT GauriSplunk 2020-09-29T07:50:07Z https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221730#M188172 <P>Hi,<BR /> I have the following simple search.<BR /> sourcetype=ib:reserved1 source=ib:user:user_login index=ib_security earliest=-1w</P> <P>When i run this search i do not get results. But when i remove the earliest command, I get the results. <BR /> All the results have todays date as time. So it should return result when I put earliest as 1 week back.</P> <P>Why is earliest not working</P> <P>Thanks</P> Tue, 29 Sep 2020 07:50:07 GMT https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221730#M188172 GauriSplunk 2020-09-29T07:50:07Z https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221731#M188173 <P>Does putting around source &amp; sourcetype make any difference? </P> <P>sourcetype="ib:reserved1" source="ib:user:user_login" index="ib_security" earliest=-1w</P> Tue, 29 Sep 2020 07:49:58 GMT https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221731#M188173 sundareshr 2020-09-29T07:49:58Z https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221732#M188174 <P>No, I tried again with and without quotes around various pieces but just can't make it misbehave. I've also tried the various pieces individually and in various combinations. If GauriSplunk can reproduce this at will, I expect Splunk Support will definately want to take a look at this.</P> Sun, 08 Nov 2015 20:27:14 GMT https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221732#M188174 Richfez 2015-11-08T20:27:14Z https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221733#M188175 <P>I am sorry, I was careless and made a silly mistake in my testing and retract my confirmation of this problem. I am unable to reproduce it.</P> Mon, 09 Nov 2015 06:27:14 GMT https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221733#M188175 woodcock 2015-11-09T06:27:14Z https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221734#M188176 <P>the date on my events was greater than current date. (maybe the date on that machine was wrongly set).<BR /> So I believe it takes latest as now by default.<BR /> so earliest=-1w and latest = now , it didnt match the events.</P> <P>If it didnt take any default value for latest, it would have worked.</P> Mon, 09 Nov 2015 17:39:37 GMT https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221734#M188176 GauriSplunk 2015-11-09T17:39:37Z https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221735#M188177 <P>Hi GauriSplunk,</P> <P>I converted your comment to an answer since it looks like you solved your time stamp issue/problem by setting a <CODE>latest</CODE> value in the search. Is that correct?</P> <P>cheers, MuS</P> Mon, 09 Nov 2015 20:16:26 GMT https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221735#M188177 MuS 2015-11-09T20:16:26Z https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221736#M188178 <P>Running this search on Splunk 6.3.1 on Linux works:</P> <PRE><CODE>index="_internal" sourcetype="splunkd" source="*metrics.log" earliest=-1w </CODE></PRE> <P>It will return <CODE>450,072 events (before 11/10/15 9:19:03.378 AM)</CODE></P> Mon, 09 Nov 2015 20:20:19 GMT https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221736#M188178 MuS 2015-11-09T20:20:19Z https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221737#M188179 <P>yes. thanks</P> Mon, 09 Nov 2015 21:02:28 GMT https://community.splunk.com/t5/Splunk-Search/earliest-1w-does-not-work/m-p/221737#M188179 GauriSplunk 2015-11-09T21:02:28Z