Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What time does @d snap to? Does it change?

DaClyde
Contributor
‎09-16-2020 06:38 AM

I am searching IIS logs, trying to calculate the number of GB transferred each day for the last 7 days.  Here is my search:

index=iis sourcetype=iis cs_user_agent="JTDI*" earliest=-7d@d
| stats sum(cs_bytes) as UPLOADS, sum(sc_bytes) as DOWNLOADS by date_mday
| eval UPLOADS=round(UPLOADS/1024/1024/1024,2)
| eval DOWNLOADS=round(DOWNLOADS/1024/1024/1024,2)
| rename date_mday as "Day of the Month"| sort -"Day of the Month"

The problem I am having is that I get a different result for the 7th day if I use -7d@d vs -8d@d.  In both cases, every day should be the total for that day since midnight.  So when I search over 8 days, why does my 7th day have more data?

Labels (1)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-16-2020 07:08 AM

Tthe easiest way to see how time modifiers are used to for earliest and latest time is just run a search with non-existing index like below:

time-modifier.png

I tried your query with internal logs and I don't see a problem. 9th - 16th are common for both queries with -7d@d and -8d@d time modifiers.

I see slight difference on 16th that could be because of new events might have come while main search is running.

compare_8_7_days.png

————————————
If this helps, give a like below.
0 Karma
Reply

DaClyde
Contributor
‎09-16-2020 07:55 AM

Yes, the 16th makes sense because of on-going operations, but my problem has been with the value for the 9th.  I will try it with some other indexes and see if I still have the same problem.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...