Hello,
Could someone please delineate the difference between these two earliest commands:
earliest=-2d
earliest=-2d@d
Thank you,
Mike
So say you're issuing a search at 14:00 on the 28th of April.
earliest=-2d
will go back exactly two days and start at 14:00 on the 26th of April.
earliest=-2d@d
will go back to two days ago and then "snap" to 00:00 of that day - it means "give me events from the 26th and onwards".
This becomes very useful in a range of situations, for instance if you want to look at the previous month you do earliest=-mon@mon latest=@mon
in order to snap to the start of the last and the current month, respectively.
earliest=-mon@mon latest=@mon
with this will it be, assuming in Feb1st at 11am, beginning Jan1st to end of Jan31st?
Or would it be beginning Jan1st to beginning Feb1st? probably pretty much the same thing really.
how come in some queries earliest works and others it doesnt? Case in point
"earliest=-2d | metadata type=hosts | table host | sort 0 user" does not work but in other queries it does?
Any search which starts with a pipe symbol e.g. | dbquery , | medatata ,| inputlookup ,| rest etc doesn't support in-line timerange modifiers. They do support time range picker values though (wherever applicable).
thanks.. sorry I'm fairly new to Splunk. So how would I add a time range picker value? I thought that's what earliest did... was just a replacement for time picker in the UI time selector.
If you're running adhoc search, you can use the timerange picker control (right of search text box). In dashboards, you're timerange picker available as dashboard level OR panel level. For saved searches, there are specific textboxes available for Start Time/Earliest and Finish time/Latest.
Not to forget the coolest snaps of them all, @w1 (Monday) to @w7 (Sunday) - they'll snap to the most recent week day.
Thank you for the quick reply Ayn.
To ensure I understand it using your example:
earliest -2d@d would give me the results from 4/26 00:00:00 - 4/28 14:00:00
where as earliest -2d would give me the results from 4/26 14:00:00 - 4/28 14:00:00