Re: What is splunk definition for yesterday time r...

Indu · ‎03-08-2023

Hi ,

I have an alert scheduled to run every day 7 am and this runs on Time Range : Yesterday.

Wanted to know how Splunk interprets this. If today is a Thursday, am I supposed to get all data until Wednesday 7 am as a cutoff time? or is it Wednesday 23:59:59 as the cut off time?

Please advise on the above. Thanks in advance.

inventsekar · ‎03-08-2023

Hi @Indu ...

Wanted to know how Splunk interprets this. If today is a Thursday, am I supposed to get all data until Wednesday 7 am as a cutoff time? or is it Wednesday 23:59:59 as the cut off time?

the alert timerange, you can very fine-tune, same like the search queries.

when the alert runs for "yesterday"... it is the previous day (in your case, the wednesday 00:00 to 23:59).

when you mean, last 24hrs, it means, wednesday 7am to thursday 7am.

hope you got it.. pls let us know if its still not clear.

if you give us the search query for the alert, then, we may be able to help you better as well. thanks.

Best Regards,

Sekar

yuanliu · ‎03-08-2023

In addition, you can examine empirically by searching a busy index such as _internal using addinfo.

index=_internal
| addinfo
| head 1
| table info*_time
| eval info_max_time = strftime(info_max_time, "%F %H:%M:%S"), info_min_time = strftime(info_min_time, "%F %H:%M:%S")

For Yesterday, the result is

info_max_time	info_min_time	info_search_time
2023-03-08 00:00:00	2023-03-07 00:00:00	1678337476.679

What is splunk definition for yesterday time range?

other

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)