What time does @d snap to? Does it change?

DaClyde · ‎09-16-2020

I am searching IIS logs, trying to calculate the number of GB transferred each day for the last 7 days. Here is my search:

index=iis sourcetype=iis cs_user_agent="JTDI*" earliest=-7d@d
| stats sum(cs_bytes) as UPLOADS, sum(sc_bytes) as DOWNLOADS by date_mday
| eval UPLOADS=round(UPLOADS/1024/1024/1024,2)
| eval DOWNLOADS=round(DOWNLOADS/1024/1024/1024,2)
| rename date_mday as "Day of the Month"| sort -"Day of the Month"

The problem I am having is that I get a different result for the 7th day if I use -7d@d vs -8d@d. In both cases, every day should be the total for that day since midnight. So when I search over 8 days, why does my 7th day have more data?

thambisetty · ‎09-16-2020

Tthe easiest way to see how time modifiers are used to for earliest and latest time is just run a search with non-existing index like below:

I tried your query with internal logs and I don't see a problem. 9th - 16th are common for both queries with -7d@d and -8d@d time modifiers.

I see slight difference on 16th that could be because of new events might have come while main search is running.

————————————
If this helps, give a like below.

DaClyde · ‎09-16-2020

Yes, the 16th makes sense because of on-going operations, but my problem has been with the value for the 9th. I will try it with some other indexes and see if I still have the same problem.

What time does @d snap to? Does it change?

stats

Improve Your Security Posture

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]