Drill-down Search Earliest Latest Offset

Splunk_Fabi · ‎12-16-2024

When I edit a correlation search, I want to configure the time of the drill-down search.

If I put "1h" in the form "Earliest Offset", it inputs the unix time stamp in milliseconds. Splunk expects the unix time stamp in seconds. Is there a workaround for this issue?

->

Correct would be:

sainag_splunk · ‎12-17-2024

@Splunk_Fabi Hello, which version of ES are you using? I have seen a similar bug in 7.3.2 (a fix might be on the future roadmap). If you are on 7.3.2, please file a ticket with Splunk Support to expedite the issue.

If this Helps, Please Upvote.

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 

Drill-down Search Earliest Latest Offset

configuration

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Drill-down Search Earliest Latest Offset

configuration

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future