Hi, i have extracted data from a database into a summary index which is updated every hour. The database has information that is in the past and the future. DESCR="TV HD", START_Time="2021-01-10 09:00:00", NAME="Crime Patrol" DESCR="TV HD", START_Time="2021-01-11 10:00:00", NAME="Fire Patrol" DESCR="TV HD", START_Time="2021-01-12 09:00:00", NAME="Ambulance Patrol" DESCR="TV HD", START_Time="2021-01-13 09:00:00", NAME="Crime Patrol" DESCR="TV HD", START_Time="2021-01-14 09:00:00", NAME="Fire Patrol" DESCR="TV HD", START_Time="2021-01-15 09:00:00", NAME="Ambulance Patrol" DESCR="TV HD", START_Time="2021-01-16 09:00:00", NAME="Crime Patrol" I would like to extract data for the last two days based on START_time. eg todays date is 2021-01-15 returned data DESCR="TV HD", START_Time="2021-01-14 09:00:00", NAME="Fire Patrol" DESCR="TV HD", START_Time="2021-01-15 09:00:00", NAME="Ambulance Patrol" I have tried to use relative time/strptime but i am unable to get the time frame correct. My problem is that most solutions require my to eval START_Time to _time using strftime. However as my data is in a summary index the above data has multiple time entries in front of it and to get the latest time i use earliest=-60m@m latest=@m. This causes me issues when modifying _time in a search. I have tried to use this solution as a guide. https://www.splunk.com/en_us/blog/tips-and-tricks/get-time-on-your-side-how-to-sort-by-more-than-one-time-field.html The time picker is ignored as i am using earliest/latest. i only get details for the last hour, if i change it to earliest=-120m@m latest=@m i get a double line. 2021-01-15 14:25:13.206 DESCR="TV HD", START_Time="2021-01-14 09:00:00", NAME="Fire Patrol" 2021-01-15 13:25:13.206 DESCR="TV HD", START_Time="2021-01-14 09:00:00", NAME="Fire Patrol" Does any one have any ideas? Thanks.
... View more