Solved: Latest value to be at midnight yesterday

royimad · ‎09-12-2013

Hello Splunk,

How to precise a value for latest to be equal to midnight yesterday.
Example: Today is 9-12-2013 and i want to get event till the end of day 9-11-2013

What should be the value

royimad · ‎09-23-2013

Hi MuS,

Example 1: search sourcetype=".... earliest=-7d@d latest=@d ( Last Week )
Example 2: search sourcetype=".....earliest=-1d@d latest=@d ( Yesterday )

Simple:@d will truncate data till midnight
This example show last week and yesterday data ending by midnight.

Thanks,

View solution in original post

royimad · ‎09-23-2013

Hi MuS,

Example 1: search sourcetype=".... earliest=-7d@d latest=@d ( Last Week )
Example 2: search sourcetype=".....earliest=-1d@d latest=@d ( Yesterday )

Simple:@d will truncate data till midnight
This example show last week and yesterday data ending by midnight.

Thanks,

HattrickNZ · ‎04-29-2015

will example 1 show mon-sun of last week if run on a wednesday? Or does it have to be run on a monday?

MuS · ‎09-12-2013

Hi royimad

that would be latest=-1d@d to be used in your search.

You can find time modifiers here or in the UI select the time range picker - custom time and in the next screen select Advanced search language and start with your test. The nice thing in the UI is, that the time modifiers like -1d@d gets translated into human readable time.

hope that helps....

cheers, MuS

Latest value to be at midnight yesterday

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk