Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Change reference date

renanprado96
Path Finder
‎03-11-2016 09:53 AM

When we use "-3d@".
Data is captured from now until 3 days ago.
How to set a different date? Not "now".
For example, yesterday.
So, the system must seek yesterday to 3 days ago. (-3d@).
thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-11-2016 10:08 AM

It'll depend upon how you specify the time range for your search, either using time range picker OR directly specifying time range modified in the search.

If you specify the time range modifiers directly, use below for yesterday to 3 days ago from yesterday

earliest=-1d@d latest=-4d@d

If you use time range picker, either you can use above using the 'Advanced' tab of time range picker, OR you can use this subsearch method to override the timerange picker selection. Assuming you're selecting your 'Reference date' in time range picker (either using preset to select Yesterday OR Date range to select exact date).

index=blah  [| gentimes start=-1 | addinfo | eval latest=info_min_time | eval earliest=relative_time(latest,"-3d@d") | table earliest latest ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-11-2016 10:08 AM

It'll depend upon how you specify the time range for your search, either using time range picker OR directly specifying time range modified in the search.

If you specify the time range modifiers directly, use below for yesterday to 3 days ago from yesterday

earliest=-1d@d latest=-4d@d

If you use time range picker, either you can use above using the 'Advanced' tab of time range picker, OR you can use this subsearch method to override the timerange picker selection. Assuming you're selecting your 'Reference date' in time range picker (either using preset to select Yesterday OR Date range to select exact date).

index=blah  [| gentimes start=-1 | addinfo | eval latest=info_min_time | eval earliest=relative_time(latest,"-3d@d") | table earliest latest ]
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-11-2016 10:05 AM

You want to specify a latest time of "-1d@d". The specifics of how to do that depend on how you're using "-3d@" today. You could, for example, modify your search string to ... earliest="-3d@" latest="-1d@" | .... For saved searches, put "-1d@" in the "Finish time" box.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

dgrubb_splunk
Splunk Employee
Splunk Employee
‎03-11-2016 10:04 AM

When using the GUI you can choose custom time off the timepicker and select specifically earliest and latest date. or you can specify directly in your search:

sourcetype= something earliest=-5d@d latest=-1d@d

more info can be found here:

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/SearchTimeModifiers

0 Karma
Reply
Solved! Jump to solution

renanprado96
Path Finder
‎03-11-2016 10:27 AM

I already know this.
I want to see 30 days before and 30 days after a date.
If I put "03/03/2016," the system will look for 30 days before and 30 days after the date that I put.
The date "03/03/2016" will not be fixed.
But I always have to search data 30 days before and 30 days after the date I choose
Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...

Index This | What is feather-light but cannot be held long?

May 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

.conf26 Registration is Live: Secure Your Early Bird Pass Now

  Lock in Your Spot: Registration Open for .conf26 in Denver Hello Splunkers, I have exciting news! Your ...