Splunk Search
Highlighted

Difference between the time mentioned in the splunk query and time range picker? which time does my query pulls the results?

Builder

I have a query as follows

_index_earliest="01/20/2018:00:00:00" _index_latest="01/21/2018:00:00:00" index="ABC"......| stats count by x

And on the right ride of the search bar. I have chosen the date range from timerange picker as below

alt text

Now as per the above does the query pulls the results from the time I specified on the query _index_earliest="01/20/2018:00:00:00" _index_latest="01/21/2018:00:00:00" or is it going to pull the results from the timepicker I specified (01/18/2018 and 01/23/2018)

Can someone explain the difference and clarify me on which time frame the query will use?

0 Karma
Highlighted

Re: Difference between the time mentioned in the splunk query and time range picker? which time does my query pulls the results?

SplunkTrust
SplunkTrust

hey

_index_earliest = Specify the earliest _indextime for the time range of your search.
_index_latest = Specify the latest _indextime for the time range of your search.

For example, if you wanted to search for events indexed in the previous hour, use: indexearliest=-h@h indexlatest=@h
but if you choose date range from timerange picker then it will consider that timerange and within that time range _index_earliest=-h@h _index_latest=@h if this condition satisfies then search will return results.

For example,
consider a case, you have indexed 60 events in last 60 minutes i.e. 1 event per second. So your indextime and timepicker will act same.

case1: _index_earliest &  _index_latest set to last 60 minutes and timepicker set to last 30 minutes. 
Result would be 30 events only

case2: _index_earliest &  _index_latest set to last 60 minutes and timepicker set to last 60 minutes. 
Result would be 60 events 

case3: _index_earliest &  _index_latest set to last 30 minutes and timepicker set to last  60 minutes. 
Result would be 30 events only

For more information have a look at this doc
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/SearchTimeModifiers#_time_an...

let me know if this helps!

View solution in original post

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.