Solved: Using latest= in search results in all time, not t...

kmattern · ‎11-16-2012

I have this very simple search

sourcetype=iis latest=+6h

When I select Today from the date/time picker and run the search it returns results for all time. My iis logs are UTC but are converted to Central time by Splunk. I need the 6 hour offset to get the times to match existing non Splunk reports.

As can be seen in the screen shot the search continued to a point much earliern than midnight today, November 16. Seeing this happen is very scary because it throws into doubt many of my production dashboard results. Does anyone have any ideas?

richgalloway · ‎11-16-2012

When you put "latest" in your search, it trumps the selection in the date/time picker. The workaround is to also include "earliest" in your search string.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-16-2012

When you put "latest" in your search, it trumps the selection in the date/time picker. The workaround is to also include "earliest" in your search string.

---
If this reply helps you, Karma would be appreciated.

kmattern · ‎11-16-2012

Doh! I shold have known that. It's been a long year.

Using latest= in search results in all time, not today

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup