topic Re: About time modifier in Splunk Search

About time modifier

yuwtennis — Tue, 10 Dec 2013 12:47:34 GMT

Hi!

I am considering to use summary index to effectively search massive data.
To do this, I am considering to set saved search and use time modifier to slide the time range ever time
the search is executed.

what I am trying to set is

earliest = @quarter-6mon latest=@quarter-3mon

I am planning to execute the above time modifier every calendar quarter.
I believe there will be a point where it is overlapped by both search.

For example,

1st search is executed at 2013/4 the time modifier will be,
2012/10/1 - 2013/1/1

Next time executed,
2013/1/1 - 2013/4/1

So 2013/1/1 is overlapped .

Would there be any way to elude this ?

Thanks,
Yu

Re: About time modifier

martin_mueller — Tue, 10 Dec 2013 13:43:10 GMT

I doubt there actually is a day of overlap, because both are pointing to midnight / 00:00 that day.

Re: About time modifier

yuwtennis — Wed, 11 Dec 2013 06:27:45 GMT

Hello martin_mueller.

Thank you for the comment.

Wouldn't events that has "2013/1/1 00:00" be overlapped?

Thanks,
Yu

Re: About time modifier

martin_mueller — Wed, 11 Dec 2013 08:20:39 GMT

No. Mathematically speaking, the timerange searched is the interval [earliest, latest). In other words, events occurring at the earliest timestamp are included while events occurring at the latest timestamp are not.