Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

In time range picker, is the time range "Last 1 Day" the same as "Yesterday"?

SplunkLunk
Path Finder
‎12-02-2016 12:23 PM

Greetings,

I have a search time range set to "Yesterday" and when I save it as an alert it changes it to "Last 1 Day". Is that the same thing? Or is "Last 1 Day" the previous 24 hours from the time the alert is run?

I run an alert at 6:00 AM and I want the results to show for the previous day. I'm afraid when it runs it will give me everything from the last 24 hours (so from 6:00 AM to 6:00 AM). When I open the alert in "Search", it shows activity from today which leads me to believe it's giving me the last 24 hours of activity. I guess I'm just wondering why it changes from "Yesterday" to "Last 1 Day" when I save the alert and how I can ensure it only shows from the previous day (midnight to midnight)? Any advice would be appreciated. Thanks.

Reply

coltwanger
Contributor
‎12-02-2016 01:16 PM

I am also able to recreate this, and it seems like it's a bug. "Yesterday" should always mean "last full 24 hour period". Splunk 6.5.1

When I create a search and set the time picker to "Yesterday", the timeframe searched is:

(12/1/16 12:00:00.000 AM to 12/2/16 12:00:00.000 AM)

When I save this same search as an alert, set it to run every day at 0100, then open this alert in Search, the timeframe selected is now:
(12/1/16 1:11:45.000 PM to 12/2/16 1:11:45.000 PM)

Meaning, the last "24 hours" instead of the last "full 24 hours".

When I save this same search as an alert and set it to run once per week (Monday at 00:00), then open this alert in Search, the timeframe is now the past 7 days (not full 7 days, but the last 24 hours * 7 days):

(11/25/16 1:12:52.000 PM to 12/2/16 1:12:52.000 PM)

This is a pretty strange occurance and I recommend using earliest and latest in your SPL until it gets resolved.

Edit:

Actually this seems to have been this way for awhile. It doesn't really seem intuitive to me to overwrite your specified search timeframe with your scheduled alert timeframe. I would stick to using cron as your scheduling component and use -1d@d as the earliest time and @d as the latest time, then scheduling cron to run it once per day.

0 Karma
Reply

SplunkLunk
Path Finder
‎12-06-2016 05:16 AM

Thanks. I will give this a try and test it out. I won't be able to see if it's successful until tomorrow. If ti is, then I will "Accept" your answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...