Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What does <time_unit> default to?

pm771
Communicator
‎02-08-2023 07:20 AM

Because of a typo we had the following in our query:

 

 

earliest=-1@d

 

 

Since Splunk query actually ran I assumed that some kind of default value had been used.

I could not find such details in docs.

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2023 08:00 AM

Time is stored in seconds so -1 is previous second (from now),  @d will align to the beginning of the day, so-1@d is midnight last night unless you run the search within the first second of today, in which case it will be midnight on the previous night.

View solution in original post

Reply
Solved! Jump to solution

pm771
Communicator
‎02-08-2023 02:41 PM

I tried 

 

index= 
earliest=-600@m
| stats max(_time) as maxT min(_time) as minT
| eval maxtime=strftime(maxT,"%Y-%m-%dT%H:%M:%S.%Q"), mintime=strftime(minT,"%Y-%m-%dT%H:%M:%S.%Q")

 

and got back 10 min of events as expected based on your explanation.

0 Karma
Reply
Solved! Jump to solution

shivanshu1593
Builder
‎02-08-2023 08:09 AM

Hello,

You are correct in identifying its behavior. When you write earliest=-1@d, it gives you the results on the basis of @d, which is every single result from the beginning of the day. -1 as ITWhisperer correctly pointed out accounts for a second and has no visible impact. 

shivanshu1593_0-1675872547023.png

 




Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2023 08:20 AM

As I said, -1 is not ignored, it is just that it has no appreciable impact, unless going back 1 second takes you back to the previous day. Essentially, without a time unit, seconds is assumed / defaulted.

Reply
Solved! Jump to solution

shivanshu1593
Builder
‎02-08-2023 08:25 AM

Hello,

Thank you for correcting me and letting us know the correct behavior. I didn't know the correct fact here. I've updated the answer as well. 🙂

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2023 08:00 AM

Time is stored in seconds so -1 is previous second (from now),  @d will align to the beginning of the day, so-1@d is midnight last night unless you run the search within the first second of today, in which case it will be midnight on the previous night.

Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top