Splunk Search
Highlighted

About time modifier

Communicator

Hi!

I am considering to use summary index to effectively search massive data.
To do this, I am considering to set saved search and use time modifier to slide the time range ever time
the search is executed.

what I am trying to set is

earliest = @quarter-6mon latest=@quarter-3mon

I am planning to execute the above time modifier every calendar quarter.
I believe there will be a point where it is overlapped by both search.

For example,

1st search is executed at 2013/4 the time modifier will be,
2012/10/1 - 2013/1/1

Next time executed,
2013/1/1 - 2013/4/1

So 2013/1/1 is overlapped .

Would there be any way to elude this ?

Thanks,
Yu

Tags (2)
0 Karma
Highlighted

Re: About time modifier

SplunkTrust
SplunkTrust

I doubt there actually is a day of overlap, because both are pointing to midnight / 00:00 that day.

0 Karma
Highlighted

Re: About time modifier

Communicator

Hello martin_mueller.

Thank you for the comment.

Wouldn't events that has "2013/1/1 00:00" be overlapped?

Thanks,
Yu

0 Karma
Highlighted

Re: About time modifier

SplunkTrust
SplunkTrust

No. Mathematically speaking, the timerange searched is the interval [earliest, latest). In other words, events occurring at the earliest timestamp are included while events occurring at the latest timestamp are not.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.