Archive
Highlighted

time modifiers for start and end time with hour&mins

Path Finder

I would like to create a scheduled search that searches every 5 mins over a 5min window but 5hours ahead.

the Start time i specified: +4h@h+55m
the Finish time i specified: +5h@h

However, this does not work. Anyone has any idea what should be the correct syntax?

Tags (2)
0 Karma
Highlighted

Re: time modifiers for start and end time with hour&mins

Champion

I can't seem to get my head around "start" and "finish" atm, blank day 😉

Anyway, using something such as earliest=+4h latest=+5h in your search terms should do the job. If it doesn't work come back with any errors, if it doesn't throw an error then I suspect that you don't have any events within that time period. If this is for events in a different timezone then you might find it more useful to amend their timestamp as the events arrive through a props config;
http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Propsconf

0 Karma
Highlighted

Re: time modifiers for start and end time with hour&mins

Path Finder

the Start time i specified: +4h@h+55m@m
the Finish time i specified: +5h@h

0 Karma