Splunk Search

Difference between earliest -2d and earliest -2d@d?

MichaelCohen829
Explorer

Hello,

Could someone please delineate the difference between these two earliest commands:

earliest=-2d

earliest=-2d@d

Thank you,

Mike

Tags (1)
0 Karma

Ayn
Legend

So say you're issuing a search at 14:00 on the 28th of April.

earliest=-2d will go back exactly two days and start at 14:00 on the 26th of April.
earliest=-2d@d will go back to two days ago and then "snap" to 00:00 of that day - it means "give me events from the 26th and onwards".

This becomes very useful in a range of situations, for instance if you want to look at the previous month you do earliest=-mon@mon latest=@mon in order to snap to the start of the last and the current month, respectively.

HattrickNZ
Motivator

earliest=-mon@mon latest=@mon with this will it be, assuming in Feb1st at 11am, beginning Jan1st to end of Jan31st?
Or would it be beginning Jan1st to beginning Feb1st? probably pretty much the same thing really.

0 Karma

mendesjo
Path Finder

how come in some queries earliest works and others it doesnt? Case in point
"earliest=-2d | metadata type=hosts | table host | sort 0 user" does not work but in other queries it does?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Any search which starts with a pipe symbol e.g. | dbquery , | medatata ,| inputlookup ,| rest etc doesn't support in-line timerange modifiers. They do support time range picker values though (wherever applicable).

0 Karma

mendesjo
Path Finder

thanks.. sorry I'm fairly new to Splunk. So how would I add a time range picker value? I thought that's what earliest did... was just a replacement for time picker in the UI time selector.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If you're running adhoc search, you can use the timerange picker control (right of search text box). In dashboards, you're timerange picker available as dashboard level OR panel level. For saved searches, there are specific textboxes available for Start Time/Earliest and Finish time/Latest.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Not to forget the coolest snaps of them all, @w1 (Monday) to @w7 (Sunday) - they'll snap to the most recent week day.

0 Karma

MichaelCohen829
Explorer

Thank you for the quick reply Ayn.

To ensure I understand it using your example:

earliest -2d@d would give me the results from 4/26 00:00:00 - 4/28 14:00:00

where as earliest -2d would give me the results from 4/26 14:00:00 - 4/28 14:00:00

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...