Splunk Search

Splunk Keywords definations

basics
Explorer

HI,

 

I am new to Splunk and I am looking forward to learning more. I wanted to know where do I learn what keywords/code such as the following mean or do...

 

  • earliest="-1mon@mon"
  • latest="@d"
  • latest="@mon"

 

and what does it mean when I add this in the Splunk query like this:

 

data = "global" earliest="-1mon@mon" latest="@d" [ search data = "global" earliest="-1mon@mon" latest="@d"]

I also have a Time Range Widget connected with this query... and the value of the output changes as I change the time range. However, (I believe) since I already defined (earliest="-1mon@mon" latest="@d") query in the search, does it make the result different? 

 

Please help me understand what is happening. Thank you.

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @basics,

in Splunk you can run unstructured searches (using words or strings) and/or structured searches (using fields).

In fields there are the time fields that you can set using a Time Picker or the Time Modifiers.

But, if you insert in your search the Time Modifiers, the values from the Time Picker aren't used by your search because Time Modifiers overwrite the Time Picker settings.

For more infos you can see at https://docs.splunk.com/Documentation/SCS/current/Search/Timemodifiers.

My hint is to follow the Splunk Fundamentals i course (https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html) that's a free course and the Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.1.0/SearchTutorial/WelcometotheSearchTutorial) that help you to understand how Splunk works.

Ciao.

Giuseppe

 

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @basics,

in Splunk you can run unstructured searches (using words or strings) and/or structured searches (using fields).

In fields there are the time fields that you can set using a Time Picker or the Time Modifiers.

But, if you insert in your search the Time Modifiers, the values from the Time Picker aren't used by your search because Time Modifiers overwrite the Time Picker settings.

For more infos you can see at https://docs.splunk.com/Documentation/SCS/current/Search/Timemodifiers.

My hint is to follow the Splunk Fundamentals i course (https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html) that's a free course and the Search Tutorial (https://docs.splunk.com/Documentation/Splunk/8.1.0/SearchTutorial/WelcometotheSearchTutorial) that help you to understand how Splunk works.

Ciao.

Giuseppe

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @basics,

Good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...