Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using Time Modifiers in search for timechart

jason_hotchkiss
Communicator
‎07-20-2021 07:25 AM

Hello - 

I was reading this:  https://docs.splunk.com/Documentation/SCS/current/Search/Timemodifiers

But it is not very clear to me how to use the time modifiers properly.

index=blah sourcetype=blah
fields _time index sourcetype GB
| timechart span=1d sum(GB) as Gigabytes

How would I draw my time chart to the end of the previous day over a 7-day period using a time modifier?

Would it be:  

index=blah sourcetype=blah _index_earliest=-7d@d index_latest=-1d@d

Please advise, thank you.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-20-2021 07:57 AM

@d takes you to the beginning of the day so for end of previous day you need latest=@d i.e. beginning of current day.

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-20-2021 07:57 AM

@d takes you to the beginning of the day so for end of previous day you need latest=@d i.e. beginning of current day.

Reply
Solved! Jump to solution

jason_hotchkiss
Communicator
‎07-20-2021 08:28 AM

Ahh... I tried -@d - didn't occur to me to try @d.  Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

Buttercup Games: Further Dashboarding Techniques (Part 3)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Digital Resilience Assessment Launch | How prepared are you for disruption?

Disruption is inevitable. The question is – how prepared are you to handle it? In today’s fast-moving digital ...
Top