Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

In time range picker, is the time range "Last 1 Day" the same as "Yesterday"?

SplunkLunk
Path Finder
‎12-02-2016 12:23 PM

Greetings,

I have a search time range set to "Yesterday" and when I save it as an alert it changes it to "Last 1 Day". Is that the same thing? Or is "Last 1 Day" the previous 24 hours from the time the alert is run?

I run an alert at 6:00 AM and I want the results to show for the previous day. I'm afraid when it runs it will give me everything from the last 24 hours (so from 6:00 AM to 6:00 AM). When I open the alert in "Search", it shows activity from today which leads me to believe it's giving me the last 24 hours of activity. I guess I'm just wondering why it changes from "Yesterday" to "Last 1 Day" when I save the alert and how I can ensure it only shows from the previous day (midnight to midnight)? Any advice would be appreciated. Thanks.

Reply

coltwanger
Contributor
‎12-02-2016 01:16 PM

I am also able to recreate this, and it seems like it's a bug. "Yesterday" should always mean "last full 24 hour period". Splunk 6.5.1

When I create a search and set the time picker to "Yesterday", the timeframe searched is:

(12/1/16 12:00:00.000 AM to 12/2/16 12:00:00.000 AM)

When I save this same search as an alert, set it to run every day at 0100, then open this alert in Search, the timeframe selected is now:
(12/1/16 1:11:45.000 PM to 12/2/16 1:11:45.000 PM)

Meaning, the last "24 hours" instead of the last "full 24 hours".

When I save this same search as an alert and set it to run once per week (Monday at 00:00), then open this alert in Search, the timeframe is now the past 7 days (not full 7 days, but the last 24 hours * 7 days):

(11/25/16 1:12:52.000 PM to 12/2/16 1:12:52.000 PM)

This is a pretty strange occurance and I recommend using earliest and latest in your SPL until it gets resolved.

Edit:

Actually this seems to have been this way for awhile. It doesn't really seem intuitive to me to overwrite your specified search timeframe with your scheduled alert timeframe. I would stick to using cron as your scheduling component and use -1d@d as the earliest time and @d as the latest time, then scheduling cron to run it once per day.

0 Karma
Reply

SplunkLunk
Path Finder
‎12-06-2016 05:16 AM

Thanks. I will give this a try and test it out. I won't be able to see if it's successful until tomorrow. If ti is, then I will "Accept" your answer.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...