Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Change reference date

renanprado96
Path Finder
‎03-11-2016 09:53 AM

When we use "-3d@".
Data is captured from now until 3 days ago.
How to set a different date? Not "now".
For example, yesterday.
So, the system must seek yesterday to 3 days ago. (-3d@).
thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-11-2016 10:08 AM

It'll depend upon how you specify the time range for your search, either using time range picker OR directly specifying time range modified in the search.

If you specify the time range modifiers directly, use below for yesterday to 3 days ago from yesterday

earliest=-1d@d latest=-4d@d

If you use time range picker, either you can use above using the 'Advanced' tab of time range picker, OR you can use this subsearch method to override the timerange picker selection. Assuming you're selecting your 'Reference date' in time range picker (either using preset to select Yesterday OR Date range to select exact date).

index=blah  [| gentimes start=-1 | addinfo | eval latest=info_min_time | eval earliest=relative_time(latest,"-3d@d") | table earliest latest ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-11-2016 10:08 AM

It'll depend upon how you specify the time range for your search, either using time range picker OR directly specifying time range modified in the search.

If you specify the time range modifiers directly, use below for yesterday to 3 days ago from yesterday

earliest=-1d@d latest=-4d@d

If you use time range picker, either you can use above using the 'Advanced' tab of time range picker, OR you can use this subsearch method to override the timerange picker selection. Assuming you're selecting your 'Reference date' in time range picker (either using preset to select Yesterday OR Date range to select exact date).

index=blah  [| gentimes start=-1 | addinfo | eval latest=info_min_time | eval earliest=relative_time(latest,"-3d@d") | table earliest latest ]
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-11-2016 10:05 AM

You want to specify a latest time of "-1d@d". The specifics of how to do that depend on how you're using "-3d@" today. You could, for example, modify your search string to ... earliest="-3d@" latest="-1d@" | .... For saved searches, put "-1d@" in the "Finish time" box.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

dgrubb_splunk
Splunk Employee
Splunk Employee
‎03-11-2016 10:04 AM

When using the GUI you can choose custom time off the timepicker and select specifically earliest and latest date. or you can specify directly in your search:

sourcetype= something earliest=-5d@d latest=-1d@d

more info can be found here:

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/SearchTimeModifiers

0 Karma
Reply
Solved! Jump to solution

renanprado96
Path Finder
‎03-11-2016 10:27 AM

I already know this.
I want to see 30 days before and 30 days after a date.
If I put "03/03/2016," the system will look for 30 days before and 30 days after the date that I put.
The date "03/03/2016" will not be fixed.
But I always have to search data 30 days before and 30 days after the date I choose
Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...