Solved: What would be the syntax for the Earliest time mod...

Vijaikanth · ‎06-23-2015

Requirement is i need to fetch a Report for the last 12 months.

If today's date is Jun 23, 2015 10:12:20 AM then my

Latest Event = NOW,
Earliest Event = July 1, 2014 00:00:00 AM

What will be the expression i need to use to get that Earliest event?

If i specify "-y" or "-1y@month" it will give June 1, 2014 as Earliest event so usually i get 13 months in the result set (Starting from June 2014 to June 2015 - count 13 months) but any time if the report runs it should give 12 months data in column

srinathd · ‎06-23-2015

Try earliest=-11mon@mon latest=@d

View solution in original post

srinathd · ‎06-23-2015

Try earliest=-11mon@mon latest=@d

Vijaikanth · ‎06-23-2015

Thanks Srinath. In case if the date is "July 1, 2015" then according to the above answer

earliest = -11mon ==> earliest = "Aug 1, 2014" .

so it will return 11 months right.. or it will return from "July 1, 2014" to "July 1, 2015" ?

srinathd · ‎06-23-2015

Then use earliest=-12mon@mon latest=@mon or @d based on your need.

What would be the syntax for the Earliest time modifier to report on data for the last 12 months?

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform