Solved: Time to search can only be set by the time range p...

palisetty · ‎12-24-2019

Time to search can only be set by the time range picker.

False is the answer. What are the other ways you can think of, please?

skoelpin · ‎12-24-2019

Time modifiers inline of the search like this

index=... earliest=-24h@h latest=now

View solution in original post

woodcock · ‎12-24-2019

Also:

index= ... earliest=-x latest=now

And along with that, using TimePicker indirectly after-the-fact:

|dbxquery ...
|inputlookup append=t
| addinfo
| where _time>=info_min_time AND _time<=info_max_time

And lastly, you can interact with many visualizations (e.g. Line Chart) and click and/or drag and then select Zoom to selected and it will do that and update the TimePicker.

mydog8it · ‎12-24-2019

This one might not count, by clicking the event time and specifying a relative search window... which drives the time picker, which is why I said it might not count.

skoelpin · ‎12-24-2019

Time modifiers inline of the search like this

index=... earliest=-24h@h latest=now

palisetty · ‎12-24-2019

-24h@h means? 24 hours yesterday is it? Please correct me

woodcock · ‎12-24-2019

Now - 24hours, snapped down to the start of that hour.

Time to search can only be set by the time range picker.

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?