Splunk Search

Difference between the time mentioned in the splunk query and time range picker? which time does my query pulls the results?

pavanae
Builder

I have a query as follows

_index_earliest="01/20/2018:00:00:00" _index_latest="01/21/2018:00:00:00" index="ABC"......| stats count by x

And on the right ride of the search bar. I have chosen the date range from timerange picker as below

alt text

Now as per the above does the query pulls the results from the time I specified on the query _index_earliest="01/20/2018:00:00:00" _index_latest="01/21/2018:00:00:00" or is it going to pull the results from the timepicker I specified (01/18/2018 and 01/23/2018)

Can someone explain the difference and clarify me on which time frame the query will use?

0 Karma
1 Solution

mayurr98
Super Champion

hey

_index_earliest = Specify the earliest _indextime for the time range of your search.
_index_latest = Specify the latest _indextime for the time range of your search.

For example, if you wanted to search for events indexed in the previous hour, use: _index_earliest=-h@h _index_latest=@h
but if you choose date range from timerange picker then it will consider that timerange and within that time range _index_earliest=-h@h _index_latest=@h if this condition satisfies then search will return results.

For example,
consider a case, you have indexed 60 events in last 60 minutes i.e. 1 event per second. So your indextime and timepicker will act same.

case1: _index_earliest &  _index_latest set to last 60 minutes and timepicker set to last 30 minutes. 
Result would be 30 events only

case2: _index_earliest &  _index_latest set to last 60 minutes and timepicker set to last 60 minutes. 
Result would be 60 events 

case3: _index_earliest &  _index_latest set to last 30 minutes and timepicker set to last  60 minutes. 
Result would be 30 events only

For more information have a look at this doc
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/SearchTimeModifiers#_time_an...

let me know if this helps!

View solution in original post

0 Karma

mayurr98
Super Champion

hey

_index_earliest = Specify the earliest _indextime for the time range of your search.
_index_latest = Specify the latest _indextime for the time range of your search.

For example, if you wanted to search for events indexed in the previous hour, use: _index_earliest=-h@h _index_latest=@h
but if you choose date range from timerange picker then it will consider that timerange and within that time range _index_earliest=-h@h _index_latest=@h if this condition satisfies then search will return results.

For example,
consider a case, you have indexed 60 events in last 60 minutes i.e. 1 event per second. So your indextime and timepicker will act same.

case1: _index_earliest &  _index_latest set to last 60 minutes and timepicker set to last 30 minutes. 
Result would be 30 events only

case2: _index_earliest &  _index_latest set to last 60 minutes and timepicker set to last 60 minutes. 
Result would be 60 events 

case3: _index_earliest &  _index_latest set to last 30 minutes and timepicker set to last  60 minutes. 
Result would be 30 events only

For more information have a look at this doc
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/SearchTimeModifiers#_time_an...

let me know if this helps!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...