Splunk Search

i want to get data's from 8am ysterday to 8am today.. ?? can anyone help me

Puvi
New Member

i want to get data's from 8am ysterday to 8am today..

0 Karma

Richfez
SplunkTrust
SplunkTrust

There's a whole pile of relative time modifies you can use in the search, for instance

index=ha earliest=-1d+8h@h latest=@d+8h

That searches my index "ha" for events where the earliest _time matches

-1d = go back one day to yesterday
+8h = add 8 hours to that (so 8 hours after the beginning of yesterday)
@h = "snap" to the hour 8:00:00 instead of using current minutes/seconds like 8:18:35

and the latest _time is no later than more or less the same as the above, only instead of going back a day, it just takes the snap to beginning of current day and adds 8 hours.

You can put these in the time picker, too!
Click your time picker, then at the bottom click on "Advanced". If you paste the -1d+8h or whatever into there for the earliest/latest times, you can even see what it turns into.

Also see these docs for Time Modifiers.

Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...