Splunk Search

What time modifiers do I need to look at 1 hour of data for yesterday relative to today?

HattrickNZ
Motivator

I want to just look at 1 hour for yesterday, but I want it to be relative to today so no matter when I look at it in the future it will always be yesterday.

So if I look at it today it will show yesterdays value at 12pm to 1pm
And if I look at it next week it will show the day before that day at 12pm to 1pm

I am thinking of something like -1d@d for the earliest and @d for the latest but how do i get the hour I want?

0 Karma
1 Solution

grijhwani
Motivator

-1d@h to -23h@h

You can use any of the units for range as as your "snap to" boundaries.

View solution in original post

0 Karma

grijhwani
Motivator

-1d@h to -23h@h

You can use any of the units for range as as your "snap to" boundaries.

0 Karma

HattrickNZ
Motivator

will that work? will that not always be 23hours ago from your current hour. I want same hour for yesterday all the time.

0 Karma

grijhwani
Motivator

I just had another thought, it could also be specified as @d-12h to @d-11h.

0 Karma

grijhwani
Motivator

So what you are saying is that you will always want the hour 12:00..13:00 of the previous day.

OK, so that should be -d@d+12h to -d@d+13h.

You can add and subtract offsets after the snap.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...