Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

i want to get data's from 8am ysterday to 8am today.. ?? can anyone help me

Puvi
New Member
‎04-08-2020 09:23 PM

i want to get data's from 8am ysterday to 8am today..

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎04-09-2020 05:24 AM

There's a whole pile of relative time modifies you can use in the search, for instance

index=ha earliest=-1d+8h@h latest=@d+8h

That searches my index "ha" for events where the earliest _time matches 

-1d = go back one day to yesterday
+8h = add 8 hours to that (so 8 hours after the beginning of yesterday)
@h = "snap" to the hour 8:00:00 instead of using current minutes/seconds like 8:18:35

and the latest _time is no later than more or less the same as the above, only instead of going back a day, it just takes the snap to beginning of current day and adds 8 hours.

You can put these in the time picker, too!
Click your time picker, then at the bottom click on "Advanced". If you paste the -1d+8h or whatever into there for the earliest/latest times, you can even see what it turns into.

Also see these docs for Time Modifiers.

Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...