Solved: Latest/Earliest Timeformat using another timezone ...

benspader · ‎01-28-2014

I need to create a search that uses the UTC timezone not my default which is Central time (UTC - 6h).

Basically my search must search from NOW to the earliest of 6pm yesterday, but the problem I have is when it is past 6pm in the same day this time modifier (earliest=@d-6h latest=now) still puts me back to 6pm yesterday but it should be 6pm today.

Does anyone have any idea how I can create a time modifier that will be smart enough to not go back to yesterday at 6pm if it is past 6pm in the same day?
Thanks in advance.
-Ben

kristian_kolb · ‎01-28-2014

You can use a subsearch to generate the correct value for earliest;

sourcetype=splunkd index=_internal latest=now() [search * | head 1 | eval now_hour = strftime(now(),"%H") | eval earliest = if((now_hour > 17), "@d+18h", "@d-6h") | fields + earliest] | the rest of your search

Hope this helps,

K

View solution in original post

kristian_kolb · ‎01-28-2014

You can use a subsearch to generate the correct value for earliest;

sourcetype=splunkd index=_internal latest=now() [search * | head 1 | eval now_hour = strftime(now(),"%H") | eval earliest = if((now_hour > 17), "@d+18h", "@d-6h") | fields + earliest] | the rest of your search

Hope this helps,

K

benspader · ‎01-28-2014

This should work! Thank you very much!

Latest/Earliest Timeformat using another timezone other than the default

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!