Re: About time modifier

yuwtennis · ‎12-10-2013

Hi!

I am considering to use summary index to effectively search massive data.
To do this, I am considering to set saved search and use time modifier to slide the time range ever time
the search is executed.

what I am trying to set is

earliest = @quarter-6mon latest=@quarter-3mon

I am planning to execute the above time modifier every calendar quarter.
I believe there will be a point where it is overlapped by both search.

For example,

1st search is executed at 2013/4 the time modifier will be,
2012/10/1 - 2013/1/1

Next time executed,
2013/1/1 - 2013/4/1

So 2013/1/1 is overlapped .

Would there be any way to elude this ?

Thanks,
Yu

martin_mueller · ‎12-10-2013

I doubt there actually is a day of overlap, because both are pointing to midnight / 00:00 that day.

martin_mueller · ‎12-11-2013

No. Mathematically speaking, the timerange searched is the interval [earliest, latest). In other words, events occurring at the earliest timestamp are included while events occurring at the latest timestamp are not.

yuwtennis · ‎12-10-2013

Hello martin_mueller.

Thank you for the comment.

Wouldn't events that has "2013/1/1 00:00" be overlapped?

Thanks,
Yu

About time modifier

Splunk MCP & Agentic AI: Machine Data Without Limits

See Splunk Platform & Observability Innovations at Cisco Live EMEA

The OpenTelemetry Certified Associate (OTCA) Exam

Join the Conversation

About time modifier

Splunk MCP & Agentic AI: Machine Data Without Limits

See Splunk Platform & Observability Innovations at Cisco Live EMEA

The OpenTelemetry Certified Associate (OTCA) Exam