Splunk Search

Datamodel summariesonly

jadengoho
Builder

Why are  we seeing logs from year ago even we use sumarriesonly=t

| tstats summariesonly=t earliest(_time) as EarliestDateEpoch from datamodel=Authentication where earliest=-8mon
| eval EarliestDate=strftime(EarliestDateEpoch,"%m-%d-%Y")

 

Even the summary range = 1month, i just want to get the earliest date of the summaries.

Labels (1)
Tags (1)
0 Karma