Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

earliest=-1w does not work

GauriSplunk
Path Finder
‎11-06-2015 01:02 PM

Hi,
I have the following simple search.
sourcetype=ib:reserved1 source=ib:user:user_login index=ib_security earliest=-1w

When i run this search i do not get results. But when i remove the earliest command, I get the results.
All the results have todays date as time. So it should return result when I put earliest as 1 week back.

Why is earliest not working

Thanks

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

GauriSplunk
Path Finder
‎11-09-2015 09:39 AM

the date on my events was greater than current date. (maybe the date on that machine was wrongly set).
So I believe it takes latest as now by default.
so earliest=-1w and latest = now , it didnt match the events.

If it didnt take any default value for latest, it would have worked.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎11-09-2015 12:20 PM

Running this search on Splunk 6.3.1 on Linux works:

index="_internal" sourcetype="splunkd" source="*metrics.log" earliest=-1w

It will return 450,072 events (before 11/10/15 9:19:03.378 AM)

0 Karma
Reply
Solved! Jump to solution
Solution

GauriSplunk
Path Finder
‎11-09-2015 09:39 AM

the date on my events was greater than current date. (maybe the date on that machine was wrongly set).
So I believe it takes latest as now by default.
so earliest=-1w and latest = now , it didnt match the events.

If it didnt take any default value for latest, it would have worked.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎11-09-2015 12:16 PM

Hi GauriSplunk,

I converted your comment to an answer since it looks like you solved your time stamp issue/problem by setting a latest value in the search. Is that correct?

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

GauriSplunk
Path Finder
‎11-09-2015 01:02 PM

yes. thanks

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-08-2015 10:27 PM

I am sorry, I was careless and made a silly mistake in my testing and retract my confirmation of this problem. I am unable to reproduce it.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-08-2015 08:45 AM

Does putting around source & sourcetype make any difference?

sourcetype="ib:reserved1" source="ib:user:user_login" index="ib_security" earliest=-1w

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎11-08-2015 12:27 PM

No, I tried again with and without quotes around various pieces but just can't make it misbehave. I've also tried the various pieces individually and in various combinations. If GauriSplunk can reproduce this at will, I expect Splunk Support will definately want to take a look at this.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...