Re: -45m@d what it means

palisetty · ‎04-04-2020

Hi @gcusello hope you are doing good,
As far as I understand, m@d means, beginning of the day, and -45m@d means, 45 minutes before the beginning of the day. Kindly correct me, I am always confused with this

gcusello · ‎04-04-2020

Hi @palisetty,
you can use the same time unit before and after @: in other words you cannot use -45m@d, but you can use -45m@m or -2h@h to have a time frame that starts from the beginning of the time unit you used.

If you want a time frame that starts 45 minutes before the beginning of the previous day, you should try -d@d-45m.
In other words, you can add a different time unit only after the same you used.
Sorry, I'm not sure to be clear but the example should explain better!

Anyway, you can easily test your time definitions opening the search dashboard and manually inserting your time modifiers in the advanced section of the Time picker: under the text box to insert the time modifier, the related time is displayed.
e.g.:
if you insert -d@d-45m you have 4/3/20 11:15:00.000 PM.
In this way, you can easily identify your time modifiers.

Ciao.
Giuseppe

to4kawa · ‎04-05-2020

| makeresults count=2 
| streamstats count 
| eval time_args=if(count=2,"-45m@d","@d-45m") 
| eval _time=relative_time(_time,time_args)

-45m@d what it means

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life