- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Change reference date
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When we use "-3d@".
Data is captured from now until 3 days ago.
How to set a different date? Not "now".
For example, yesterday.
So, the system must seek yesterday to 3 days ago. (-3d@).
thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It'll depend upon how you specify the time range for your search, either using time range picker OR directly specifying time range modified in the search.
If you specify the time range modifiers directly, use below for yesterday to 3 days ago from yesterday
earliest=-1d@d latest=-4d@d
If you use time range picker, either you can use above using the 'Advanced' tab of time range picker, OR you can use this subsearch method to override the timerange picker selection. Assuming you're selecting your 'Reference date' in time range picker (either using preset to select Yesterday OR Date range to select exact date).
index=blah [| gentimes start=-1 | addinfo | eval latest=info_min_time | eval earliest=relative_time(latest,"-3d@d") | table earliest latest ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It'll depend upon how you specify the time range for your search, either using time range picker OR directly specifying time range modified in the search.
If you specify the time range modifiers directly, use below for yesterday to 3 days ago from yesterday
earliest=-1d@d latest=-4d@d
If you use time range picker, either you can use above using the 'Advanced' tab of time range picker, OR you can use this subsearch method to override the timerange picker selection. Assuming you're selecting your 'Reference date' in time range picker (either using preset to select Yesterday OR Date range to select exact date).
index=blah [| gentimes start=-1 | addinfo | eval latest=info_min_time | eval earliest=relative_time(latest,"-3d@d") | table earliest latest ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You want to specify a latest time of "-1d@d". The specifics of how to do that depend on how you're using "-3d@" today. You could, for example, modify your search string to ... earliest="-3d@" latest="-1d@" | .... For saved searches, put "-1d@" in the "Finish time" box.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When using the GUI you can choose custom time off the timepicker and select specifically earliest and latest date. or you can specify directly in your search:
sourcetype= something earliest=-5d@d latest=-1d@d
more info can be found here:
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/SearchTimeModifiers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already know this.
I want to see 30 days before and 30 days after a date.
If I put "03/03/2016," the system will look for 30 days before and 30 days after the date that I put.
The date "03/03/2016" will not be fixed.
But I always have to search data 30 days before and 30 days after the date I choose
Thanks!
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
