Splunk Search

how to search only for current date?

sfatnass
Contributor

hi,

i need to know what i should insert into latest_time and earliest_time to specify search only for current day

Tags (2)
0 Karma
1 Solution

sfatnass
Contributor

i solved it just attribute earliest_time=@d not need latest_time thx for reply

View solution in original post

0 Karma

sfatnass
Contributor

i solved it just attribute earliest_time=@d not need latest_time thx for reply

0 Karma

jkat54
SplunkTrust
SplunkTrust

You might also be interested in _index_earliest=-@d

0 Karma

sfatnass
Contributor

no just get logs only for today

0 Karma

inventsekar
Ultra Champion

For example, to start your search an hour ago use either of the following time modifiers.

earliest=-h

For current day,

earliest=-d latest=now

0 Karma

sfatnass
Contributor

earliest=-d latest=now

get one day (24) i tryed it but he count since:
earliest=09/26/2016 15:09:00 latest=09/27/2016 15:09:00

but i need only the current day:

earliest=09/27/2016 00:00:00 latest=09/27/2016 15:09:00

0 Karma

inventsekar
Ultra Champion

@d-2h Snap to the beginning of today (12AM) and subtract 2 hours from that time.

Please try
earliest=-d@d latest=now

0 Karma

Walt_Splunk
Explorer
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...