Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

startminutesago/endminutesago vs earliest/latest

southeringtonp
Motivator
‎09-21-2010 06:05 PM

I know that from version 4 onward, use of the earliest and latest time parameters are preferred over the older startminutesago and related keywords, which appear to be deprecated.

Are there any differences in the way the two approaches are handled internally?

I'm wondering especially in the context of scheduled searches, where the actual time at which a search is kicked off may vary slightly from the time at which it is nominally scheduled (e.g., due to many searches scheduled at the same time).

Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎09-21-2010 06:19 PM

Earliest and latest can be provided out-of-band to the splunk engine, which matters if you're using REST, but not to most users. Earliest and latest are quite a bit more flexible in their behavior, it's common to want to snap the time ranges to day boundaries or similar which is clumsy with the old terms. Earliest and latest expressions can be a bit trickier to read though.

The scheduler runs searches with a now value, now=1234777433 or whatever unix seconds-from-epoch time the search was configured to be run at, so it will consider all relative times to be from that scheduled time, not at the moment it executes.

However, in the case of delays (when there are more searches than can possibly be run) not all timeslots for a search occur. This may appear to you a bit differently if you use the snapping behavior for earliest/latest and not for startminutesago.

Incidentally, in 4.1 there are status dashboards for the scheduled searches to give you a window into your scheduled search load and whether they are all happening as expected. This allows you to prune searches you don't really need or increase search capacity (or raise the capacity allotted to scheduled searches over interactive searches).

View solution in original post

Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎09-21-2010 06:19 PM

Earliest and latest can be provided out-of-band to the splunk engine, which matters if you're using REST, but not to most users. Earliest and latest are quite a bit more flexible in their behavior, it's common to want to snap the time ranges to day boundaries or similar which is clumsy with the old terms. Earliest and latest expressions can be a bit trickier to read though.

The scheduler runs searches with a now value, now=1234777433 or whatever unix seconds-from-epoch time the search was configured to be run at, so it will consider all relative times to be from that scheduled time, not at the moment it executes.

However, in the case of delays (when there are more searches than can possibly be run) not all timeslots for a search occur. This may appear to you a bit differently if you use the snapping behavior for earliest/latest and not for startminutesago.

Incidentally, in 4.1 there are status dashboards for the scheduled searches to give you a window into your scheduled search load and whether they are all happening as expected. This allows you to prune searches you don't really need or increase search capacity (or raise the capacity allotted to scheduled searches over interactive searches).

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...