Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

What does <time_unit> default to?

pm771
Communicator
‎02-08-2023 07:20 AM

Because of a typo we had the following in our query:

 

 

earliest=-1@d

 

 

Since Splunk query actually ran I assumed that some kind of default value had been used.

I could not find such details in docs.

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2023 08:00 AM

Time is stored in seconds so -1 is previous second (from now),  @d will align to the beginning of the day, so-1@d is midnight last night unless you run the search within the first second of today, in which case it will be midnight on the previous night.

View solution in original post

Reply
Solved! Jump to solution

pm771
Communicator
‎02-08-2023 02:41 PM

I tried 

 

index= 
earliest=-600@m
| stats max(_time) as maxT min(_time) as minT
| eval maxtime=strftime(maxT,"%Y-%m-%dT%H:%M:%S.%Q"), mintime=strftime(minT,"%Y-%m-%dT%H:%M:%S.%Q")

 

and got back 10 min of events as expected based on your explanation.

0 Karma
Reply
Solved! Jump to solution

shivanshu1593
Builder
‎02-08-2023 08:09 AM

Hello,

You are correct in identifying its behavior. When you write earliest=-1@d, it gives you the results on the basis of @d, which is every single result from the beginning of the day. -1 as ITWhisperer correctly pointed out accounts for a second and has no visible impact. 

shivanshu1593_0-1675872547023.png

 




Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2023 08:20 AM

As I said, -1 is not ignored, it is just that it has no appreciable impact, unless going back 1 second takes you back to the previous day. Essentially, without a time unit, seconds is assumed / defaulted.

Reply
Solved! Jump to solution

shivanshu1593
Builder
‎02-08-2023 08:25 AM

Hello,

Thank you for correcting me and letting us know the correct behavior. I didn't know the correct fact here. I've updated the answer as well. 🙂

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2023 08:00 AM

Time is stored in seconds so -1 is previous second (from now),  @d will align to the beginning of the day, so-1@d is midnight last night unless you run the search within the first second of today, in which case it will be midnight on the previous night.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...