Use earliest=1 to specify the UNIX epoch time 1, which is UTC Januat 12:00:01 AM. You can specify an exact time such as earliest=":20:00:00", or a relative time such as earliest=-h or specifying relative time, you can use the now modifier to refer to the current the earliest _time for the time range of your search. Use the earliest and latest modifiers to specify custom and relative time ranges. To be certain of retrieving every event based on index-time, you must run your search using All Time. In other words, chunks of events might be ruled out based on the non index-time window as well as the index-time window. For example, if you wanted to search for events indexed in the previous hour, use: using index-time based modifiers such as _index_earliest and _index_latest, your search must also have an event-time window which will retrieve the events. Similar to earliest and latest for the _time field, you can use the relative time modifiers _index_earliest and _index_latest to search for events based on _indextime. The UNIX time is saved in the _indextime field. You also have the option of searching for events based on when they were indexed. The time range does not apply to the base search or any other subsearch.įor example, if the Time Range Picker is set to Last 7 days and a subsearch contains then the earliest time modifier applies only to the subsearch and Last 7 days applies to the base search. Likewise, a time range specified directly in a subsearch applies only to that subsearch. However, time ranges specified directly in the base search do not apply to subsearches. Time ranges selected from the Time Range Picker apply to the base search and to subsearches. Because the search does not specify the latest time modifier, the default value now is used for latest.įor more information, see Specify time modifiers in your search in the Search Manual. ![]() The search uses the time specified in the time modifier and ignores the time in the Time Range Picker. You add the time modifier earliest=-2d to your search syntax. ![]() When you use a time modifier in the SPL syntax, that time overrides the time specified in the Time Range Picker.įor example, suppose your search uses yesterday in the Time Range Picker. This example uses which is a date format variable. Searching with relative time modifiers, earliest or latest, finds every event with a timestamp beginning, ending, or between the specified timestamps.įor example, when you search for the search finds every event with a _time value since midnight. This timestamp, which is the time when the event occurred, is saved in UNIX time notation. When an event is processed by Splunk software, its timestamp is saved as the default field _time. ![]() Use time modifiers to customize the time range of a search or change the format of the timestamps in the search results.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |