Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What time does @d snap to? Does it change?

DaClyde
Contributor
‎09-16-2020 06:38 AM

I am searching IIS logs, trying to calculate the number of GB transferred each day for the last 7 days.  Here is my search:

index=iis sourcetype=iis cs_user_agent="JTDI*" earliest=-7d@d
| stats sum(cs_bytes) as UPLOADS, sum(sc_bytes) as DOWNLOADS by date_mday
| eval UPLOADS=round(UPLOADS/1024/1024/1024,2)
| eval DOWNLOADS=round(DOWNLOADS/1024/1024/1024,2)
| rename date_mday as "Day of the Month"| sort -"Day of the Month"

The problem I am having is that I get a different result for the 7th day if I use -7d@d vs -8d@d.  In both cases, every day should be the total for that day since midnight.  So when I search over 8 days, why does my 7th day have more data?

Labels (1)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-16-2020 07:08 AM

Tthe easiest way to see how time modifiers are used to for earliest and latest time is just run a search with non-existing index like below:

time-modifier.png

I tried your query with internal logs and I don't see a problem. 9th - 16th are common for both queries with -7d@d and -8d@d time modifiers.

I see slight difference on 16th that could be because of new events might have come while main search is running.

compare_8_7_days.png

————————————
If this helps, give a like below.
0 Karma
Reply

DaClyde
Contributor
‎09-16-2020 07:55 AM

Yes, the 16th makes sense because of on-going operations, but my problem has been with the value for the 9th.  I will try it with some other indexes and see if I still have the same problem.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...