I have a query as follows
_index_earliest="01/20/2018:00:00:00" _index_latest="01/21/2018:00:00:00" index="ABC"......| stats count by x
And on the right ride of the search bar. I have chosen the date range from timerange picker as below
Now as per the above does the query pulls the results from the time I specified on the query _index_earliest="01/20/2018:00:00:00" _index_latest="01/21/2018:00:00:00"
or is it going to pull the results from the timepicker I specified (01/18/2018 and 01/23/2018)
Can someone explain the difference and clarify me on which time frame the query will use?
hey
_index_earliest = Specify the earliest _indextime for the time range of your search.
_index_latest = Specify the latest _indextime for the time range of your search.
For example, if you wanted to search for events indexed in the previous hour, use: _index_earliest=-h@h _index_latest=@h
but if you choose date range from timerange picker then it will consider that timerange and within that time range _index_earliest=-h@h _index_latest=@h
if this condition satisfies then search will return results.
For example,
consider a case, you have indexed 60 events
in last 60 minutes i.e. 1 event per second
. So your indextime
and timepicker
will act same.
case1: _index_earliest & _index_latest set to last 60 minutes and timepicker set to last 30 minutes.
Result would be 30 events only
case2: _index_earliest & _index_latest set to last 60 minutes and timepicker set to last 60 minutes.
Result would be 60 events
case3: _index_earliest & _index_latest set to last 30 minutes and timepicker set to last 60 minutes.
Result would be 30 events only
For more information have a look at this doc
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/SearchTimeModifiers#_time_an...
let me know if this helps!
hey
_index_earliest = Specify the earliest _indextime for the time range of your search.
_index_latest = Specify the latest _indextime for the time range of your search.
For example, if you wanted to search for events indexed in the previous hour, use: _index_earliest=-h@h _index_latest=@h
but if you choose date range from timerange picker then it will consider that timerange and within that time range _index_earliest=-h@h _index_latest=@h
if this condition satisfies then search will return results.
For example,
consider a case, you have indexed 60 events
in last 60 minutes i.e. 1 event per second
. So your indextime
and timepicker
will act same.
case1: _index_earliest & _index_latest set to last 60 minutes and timepicker set to last 30 minutes.
Result would be 30 events only
case2: _index_earliest & _index_latest set to last 60 minutes and timepicker set to last 60 minutes.
Result would be 60 events
case3: _index_earliest & _index_latest set to last 30 minutes and timepicker set to last 60 minutes.
Result would be 30 events only
For more information have a look at this doc
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/SearchTimeModifiers#_time_an...
let me know if this helps!