We have situations where we just want to show what happened "today", which is defined as from Midnight to now. That's easy to say in English, and it's easy to define latest=now, but I am having trouble figuring out what to specify as the 'earliest' value to get Splunk to understand midnight.
Midnight is just zero hours, relative to the current day, so you can use:
earliest=-0h@d
or just:
earliest=@d
You should also have Today
available as an option in the TimeRangePicker.
Midnight is just zero hours, relative to the current day, so you can use:
earliest=-0h@d
or just:
earliest=@d
You should also have Today
available as an option in the TimeRangePicker.