Splunk Search

i want to get data's from 8am ysterday to 8am today.. ?? can anyone help me

Puvi
New Member

i want to get data's from 8am ysterday to 8am today..

0 Karma

Richfez
SplunkTrust
SplunkTrust

There's a whole pile of relative time modifies you can use in the search, for instance

index=ha earliest=-1d+8h@h latest=@d+8h

That searches my index "ha" for events where the earliest _time matches

-1d = go back one day to yesterday
+8h = add 8 hours to that (so 8 hours after the beginning of yesterday)
@h = "snap" to the hour 8:00:00 instead of using current minutes/seconds like 8:18:35

and the latest _time is no later than more or less the same as the above, only instead of going back a day, it just takes the snap to beginning of current day and adds 8 hours.

You can put these in the time picker, too!
Click your time picker, then at the bottom click on "Advanced". If you paste the -1d+8h or whatever into there for the earliest/latest times, you can even see what it turns into.

Also see these docs for Time Modifiers.

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...