Greetings,
I have a search time range set to "Yesterday" and when I save it as an alert it changes it to "Last 1 Day". Is that the same thing? Or is "Last 1 Day" the previous 24 hours from the time the alert is run?
I run an alert at 6:00 AM and I want the results to show for the previous day. I'm afraid when it runs it will give me everything from the last 24 hours (so from 6:00 AM to 6:00 AM). When I open the alert in "Search", it shows activity from today which leads me to believe it's giving me the last 24 hours of activity. I guess I'm just wondering why it changes from "Yesterday" to "Last 1 Day" when I save the alert and how I can ensure it only shows from the previous day (midnight to midnight)? Any advice would be appreciated. Thanks.
I am also able to recreate this, and it seems like it's a bug. "Yesterday" should always mean "last full 24 hour period". Splunk 6.5.1
When I create a search and set the time picker to "Yesterday", the timeframe searched is:
(12/1/16 12:00:00.000 AM to 12/2/16 12:00:00.000 AM)
When I save this same search as an alert, set it to run every day at 0100, then open this alert in Search, the timeframe selected is now:
(12/1/16 1:11:45.000 PM to 12/2/16 1:11:45.000 PM)
Meaning, the last "24 hours" instead of the last "full 24 hours".
When I save this same search as an alert and set it to run once per week (Monday at 00:00), then open this alert in Search, the timeframe is now the past 7 days (not full 7 days, but the last 24 hours * 7 days):
(11/25/16 1:12:52.000 PM to 12/2/16 1:12:52.000 PM)
This is a pretty strange occurance and I recommend using earliest and latest in your SPL until it gets resolved.
Edit:
Actually this seems to have been this way for awhile. It doesn't really seem intuitive to me to overwrite your specified search timeframe with your scheduled alert timeframe. I would stick to using cron as your scheduling component and use -1d@d as the earliest time and @d as the latest time, then scheduling cron to run it once per day.
Thanks. I will give this a try and test it out. I won't be able to see if it's successful until tomorrow. If ti is, then I will "Accept" your answer.