-45m@d what it means

palisetty · ‎04-04-2020

Hi @gcusello hope you are doing good,
As far as I understand, m@d means, beginning of the day, and -45m@d means, 45 minutes before the beginning of the day. Kindly correct me, I am always confused with this

gcusello · ‎04-04-2020

Hi @palisetty,
you can use the same time unit before and after @: in other words you cannot use -45m@d, but you can use -45m@m or -2h@h to have a time frame that starts from the beginning of the time unit you used.

If you want a time frame that starts 45 minutes before the beginning of the previous day, you should try -d@d-45m.
In other words, you can add a different time unit only after the same you used.
Sorry, I'm not sure to be clear but the example should explain better!

Anyway, you can easily test your time definitions opening the search dashboard and manually inserting your time modifiers in the advanced section of the Time picker: under the text box to insert the time modifier, the related time is displayed.
e.g.:
if you insert -d@d-45m you have 4/3/20 11:15:00.000 PM.
In this way, you can easily identify your time modifiers.

Ciao.
Giuseppe

to4kawa · ‎04-05-2020

| makeresults count=2 
| streamstats count 
| eval time_args=if(count=2,"-45m@d","@d-45m") 
| eval _time=relative_time(_time,time_args)

-45m@d what it means

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?