Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

Change reference date

renanprado96
Path Finder
โ€Ž03-11-2016 09:53 AM

When we use "-3d@".
Data is captured from now until 3 days ago.
How to set a different date? Not "now".
For example, yesterday.
So, the system must seek yesterday to 3 days ago. (-3d@).
thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
โ€Ž03-11-2016 10:08 AM

It'll depend upon how you specify the time range for your search, either using time range picker OR directly specifying time range modified in the search.

If you specify the time range modifiers directly, use below for yesterday to 3 days ago from yesterday

earliest=-1d@d latest=-4d@d

If you use time range picker, either you can use above using the 'Advanced' tab of time range picker, OR you can use this subsearch method to override the timerange picker selection. Assuming you're selecting your 'Reference date' in time range picker (either using preset to select Yesterday OR Date range to select exact date).

index=blah  [| gentimes start=-1 | addinfo | eval latest=info_min_time | eval earliest=relative_time(latest,"-3d@d") | table earliest latest ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
โ€Ž03-11-2016 10:08 AM

It'll depend upon how you specify the time range for your search, either using time range picker OR directly specifying time range modified in the search.

If you specify the time range modifiers directly, use below for yesterday to 3 days ago from yesterday

earliest=-1d@d latest=-4d@d

If you use time range picker, either you can use above using the 'Advanced' tab of time range picker, OR you can use this subsearch method to override the timerange picker selection. Assuming you're selecting your 'Reference date' in time range picker (either using preset to select Yesterday OR Date range to select exact date).

index=blah  [| gentimes start=-1 | addinfo | eval latest=info_min_time | eval earliest=relative_time(latest,"-3d@d") | table earliest latest ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
โ€Ž03-11-2016 10:05 AM

You want to specify a latest time of "-1d@d". The specifics of how to do that depend on how you're using "-3d@" today. You could, for example, modify your search string to ... earliest="-3d@" latest="-1d@" | .... For saved searches, put "-1d@" in the "Finish time" box.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Solved! Jump to solution

dgrubb_splunk
Splunk Employee
Splunk Employee
โ€Ž03-11-2016 10:04 AM

When using the GUI you can choose custom time off the timepicker and select specifically earliest and latest date. or you can specify directly in your search:

sourcetype= something earliest=-5d@d latest=-1d@d

more info can be found here:

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/SearchTimeModifiers

0 Karma
Reply
Solved! Jump to solution

renanprado96
Path Finder
โ€Ž03-11-2016 10:27 AM

I already know this.
I want to see 30 days before and 30 days after a date.
If I put "03/03/2016," the system will look for 30 days before and 30 days after the date that I put.
The date "03/03/2016" will not be fixed.
But I always have to search data 30 days before and 30 days after the date I choose
Thanks!

0 Karma
Reply