Splunk Search

i want to get data's from 8am ysterday to 8am today.. ?? can anyone help me

Puvi
New Member

i want to get data's from 8am ysterday to 8am today..

0 Karma

Richfez
SplunkTrust
SplunkTrust

There's a whole pile of relative time modifies you can use in the search, for instance

index=ha earliest=-1d+8h@h latest=@d+8h

That searches my index "ha" for events where the earliest _time matches

-1d = go back one day to yesterday
+8h = add 8 hours to that (so 8 hours after the beginning of yesterday)
@h = "snap" to the hour 8:00:00 instead of using current minutes/seconds like 8:18:35

and the latest _time is no later than more or less the same as the above, only instead of going back a day, it just takes the snap to beginning of current day and adds 8 hours.

You can put these in the time picker, too!
Click your time picker, then at the bottom click on "Advanced". If you paste the -1d+8h or whatever into there for the earliest/latest times, you can even see what it turns into.

Also see these docs for Time Modifiers.

Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...