Solved: Is the time range for search inclusive or exclusiv...

rajiv_abraham · ‎08-08-2016

Hi,

When I search using the Python API and provide earliest_time and latest_time, I guess it is an inclusive range, but can anyone confirm with documentation?

Thanks!

martin_mueller · ‎08-08-2016

Earliest is inclusive, latest is exclusive. In math terms, [earliest, latest).
It has to be one of each, else events would be missed or doubled if you schedule a search over an hour time range every hour.
Logically, -d@d to @d then gives you "everything with a date of yesterday and any time" - sounds very sane to me.

The docs aren't very explicit on that, the bottom example backs this up here though: http://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Specifytimemodifiersinyoursearch#Examples_o...

View solution in original post

martin_mueller · ‎08-08-2016

Earliest is inclusive, latest is exclusive. In math terms, [earliest, latest).
It has to be one of each, else events would be missed or doubled if you schedule a search over an hour time range every hour.
Logically, -d@d to @d then gives you "everything with a date of yesterday and any time" - sounds very sane to me.

The docs aren't very explicit on that, the bottom example backs this up here though: http://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Specifytimemodifiersinyoursearch#Examples_o...

Is the time range for search inclusive or exclusive

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!