Re: What is the difference between latest_day and ...

hmohta · ‎10-05-2022

Hello

I am a bit unclear from the readings the meaning of 'latest_day and 1 day_ before'. I have attached a screen shot where I am comparing a particular event that occurred over 7 days.

Now if I want to compare say 'latest_day and 1 day_ before'. : is latest like yesterday and 1day_ before is the 4th October? I am confused. My query:
index="AB" earliest=-8d@d latest=@d
| search status="OTP_REQUIRED"
| timechart span=1h count
| timewrap d
| fields _time latest_day, 1day_before ( when I want to compare days)

Thankyou

hmohta · ‎10-09-2022

Thankyou so much!

gcusello · ‎10-09-2022

Hi @hmohta,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

gcusello · ‎10-06-2022

Hi @hmohta,

as @johnhuang said:

latest_day is tha last full day of the time period of your search, in this case yesterday,
1day_before is the previous day than yesterday.

For more infos see documentation about timewrap command at https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Timewrap

Ciao.

Giuseppe

johnhuang · ‎10-05-2022

The latest_day correspond to the latest event in your search which is yesterday.

What is the difference between latest_day and 1 day_ before?

timechart

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024