i solved it just attribute earliest_time=@d not need latest_time thx for reply
i solved it just attribute earliest_time=@d not need latest_time thx for reply
You might also be interested in _index_earliest=-@d
no just get logs only for today
For example, to start your search an hour ago use either of the following time modifiers.
earliest=-h
For current day,
earliest=-d latest=now
earliest=-d latest=now
get one day (24) i tryed it but he count since:
earliest=09/26/2016 15:09:00 latest=09/27/2016 15:09:00
but i need only the current day:
earliest=09/27/2016 00:00:00 latest=09/27/2016 15:09:00
@d-2h Snap to the beginning of today (12AM) and subtract 2 hours from that time.
Please try
earliest=-d@d latest=now
Check out this list of time modifiers in Splunk Docs, https://docs.splunk.com/Documentation/Splunk/6.4.3/Search/Specifytimemodifiersinyoursearch