There is a possible use case of searching throughout the whole 7pm-7am range if there is a possibility of an event indexing late (with a significant lag). While typically it signifies problems with data quality or problems with the processing pipeline, there are some ingestion schemes for which that can be a normal mode of operation (for example WEF in pull mode has 30minutes interval by default if I remember correctly). In such case you can manipulate your time range similarily to earliest=@d+19h You should even be able to do (but I haven't tested it since I don't have a Splunk instance available at the moment) something like earliest=-12h@d+19h Fiddle with this and check if it's what you need But if your data is ingested with a constant flow then you should be ok with monitoring just most recently ingested part as @richgalloway said. Either use a searching window slightly longer than your scheduled interval in order not to miss any slightly lagged events or use continuous schedule.
... View more
