Solved: Saved Search Start and End Time

shangshin · ‎03-05-2013

Hi,
I would like to run a daily report at 3 AM and the time range should be Start Time 00:00:00 Finish Time 23:59:59. However, I can't find the equivalent time modifier.

I tried to use start time -1d@d but it didn't work unless the search is scheduled at 12 AM sharp.

Please advise the right values to achieve this goal.

emiller42 · ‎03-05-2013

I'm assuming you want the entire previous day from midnight to midnight. That being the case, start time of -1d@d and end time of @d should give you the timeframe you're looking for.

View solution in original post

vincesesto · ‎03-05-2013

Hi shangshin,

Have you tried to set the latest time as well...for example earliest=-1d@d latest=@d as this should get you from 12am to the end of that 24 hour time span.

If not...can you please post the entire search that you are putting in place with an example of the data that you are searching through as this would help with a possible solution.

Regards,

Vince

emiller42 · ‎03-05-2013

I'm assuming you want the entire previous day from midnight to midnight. That being the case, start time of -1d@d and end time of @d should give you the timeframe you're looking for.

Saved Search Start and End Time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation