Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What does <time_unit> default to?

pm771
Communicator
‎02-08-2023 07:20 AM

Because of a typo we had the following in our query:

 

 

earliest=-1@d

 

 

Since Splunk query actually ran I assumed that some kind of default value had been used.

I could not find such details in docs.

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2023 08:00 AM

Time is stored in seconds so -1 is previous second (from now),  @d will align to the beginning of the day, so-1@d is midnight last night unless you run the search within the first second of today, in which case it will be midnight on the previous night.

View solution in original post

Reply
Solved! Jump to solution

pm771
Communicator
‎02-08-2023 02:41 PM

I tried 

 

index= 
earliest=-600@m
| stats max(_time) as maxT min(_time) as minT
| eval maxtime=strftime(maxT,"%Y-%m-%dT%H:%M:%S.%Q"), mintime=strftime(minT,"%Y-%m-%dT%H:%M:%S.%Q")

 

and got back 10 min of events as expected based on your explanation.

0 Karma
Reply
Solved! Jump to solution

shivanshu1593
Builder
‎02-08-2023 08:09 AM

Hello,

You are correct in identifying its behavior. When you write earliest=-1@d, it gives you the results on the basis of @d, which is every single result from the beginning of the day. -1 as ITWhisperer correctly pointed out accounts for a second and has no visible impact. 

shivanshu1593_0-1675872547023.png

 




Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2023 08:20 AM

As I said, -1 is not ignored, it is just that it has no appreciable impact, unless going back 1 second takes you back to the previous day. Essentially, without a time unit, seconds is assumed / defaulted.

Reply
Solved! Jump to solution

shivanshu1593
Builder
‎02-08-2023 08:25 AM

Hello,

Thank you for correcting me and letting us know the correct behavior. I didn't know the correct fact here. I've updated the answer as well. 🙂

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-08-2023 08:00 AM

Time is stored in seconds so -1 is previous second (from now),  @d will align to the beginning of the day, so-1@d is midnight last night unless you run the search within the first second of today, in which case it will be midnight on the previous night.

Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...