Hello ! 🙂
I want to change my earliest and latest time in line with my search string. I dont have to use the time range picker because it has a separate date range.
index=rbi sourcetype=change earliest=-1month@month latest=@month|stats latest(cm_actualsched) as pmas
thanks for the help splunkers!
I believe that when you set latest=now()
and leave earliest
blank, you get an all time search.
Per https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/SearchTimeModifiers earliest=1 should be used.
If you want to search events from the start of UNIX time, use earliest=1.
When earliest=1 and latest=now() are used, the search runs over all time.
I believe that when you set latest=now()
and leave earliest
blank, you get an all time search.
thanks @jeffland!
hi shariinPH,
try use this change -1month@month
by -1mon@mon
and @month
by @mon
index=rbi sourcetype=change earliest=-1mon@mon latest=@mon|stats latest(cm_actualsched) as pmas
Nb: I using the splunk 6.2.2
try and let me know.
put earliest=0
and latest=now()
please validate my answer
validate the answers for gyslainlatsa
please validate my answers and not your comments
Hi gyslainlatsa, thanks for your answer 🙂 but i want to change that months into all time . so my earliest should be the first indexed data and my latest should be the latest indexed data .. do you know how to do it?
Cheers 🙂
@gyslainlatsa