Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What does <time_unit> default to?

pm771
Communicator
‎02-08-2023 07:20 AM

Because of a typo we had the following in our query:

 

 

earliest=-1@d

 

 

Since Splunk query actually ran I assumed that some kind of default value had been used.

I could not find such details in docs.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2023 08:00 AM

Time is stored in seconds so -1 is previous second (from now),  @d will align to the beginning of the day, so-1@d is midnight last night unless you run the search within the first second of today, in which case it will be midnight on the previous night.

View solution in original post

Reply
Solved! Jump to solution

pm771
Communicator
‎02-08-2023 02:41 PM

I tried 

 

index= 
earliest=-600@m
| stats max(_time) as maxT min(_time) as minT
| eval maxtime=strftime(maxT,"%Y-%m-%dT%H:%M:%S.%Q"), mintime=strftime(minT,"%Y-%m-%dT%H:%M:%S.%Q")

 

and got back 10 min of events as expected based on your explanation.

0 Karma
Reply
Solved! Jump to solution

shivanshu1593
Builder
‎02-08-2023 08:09 AM

Hello,

You are correct in identifying its behavior. When you write earliest=-1@d, it gives you the results on the basis of @d, which is every single result from the beginning of the day. -1 as ITWhisperer correctly pointed out accounts for a second and has no visible impact. 

shivanshu1593_0-1675872547023.png

 




Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2023 08:20 AM

As I said, -1 is not ignored, it is just that it has no appreciable impact, unless going back 1 second takes you back to the previous day. Essentially, without a time unit, seconds is assumed / defaulted.

Reply
Solved! Jump to solution

shivanshu1593
Builder
‎02-08-2023 08:25 AM

Hello,

Thank you for correcting me and letting us know the correct behavior. I didn't know the correct fact here. I've updated the answer as well. 🙂

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2023 08:00 AM

Time is stored in seconds so -1 is previous second (from now),  @d will align to the beginning of the day, so-1@d is midnight last night unless you run the search within the first second of today, in which case it will be midnight on the previous night.

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...