Splunk Search

What is the difference between earliest/latest and starttimeu/endtimeu?

Path Finder

In my case I was using the map command with starttimeu/endtimeu but I'm not sure WHY i'm using those in the subquery rather than earliest/latests which I use in the initial query.

So when should I use one vs the other?

0 Karma


Starttimeu and endtimeu are deprecated keywords for specifying a timestamp in Unix epoch (integer) form. Earliest and latest, of course, expect string arguments. Since starttimeu and endtimeu may disappear in a future release, they should be avoided.

I have not done a lot with the map command so it's not clear if one can substitute earliest for starttimeu.

If this reply helps you, an upvote would be appreciated.