Solved: earliest/latest returning zero results

DEAD_BEEF · ‎08-02-2017

I apologize as I feel I am missing something very basic, but for the life of me I cannot get this query to work. I have a simple query and it is returning zero results. If I remove the earliest/latest, I get tons of results.

What syntactical mistake am I making? I have the time picker set to 1 hour, but my understanding is that when using earliest/latest, they override the time picker.

index=firewall earliest=-24@h latest=-12@h

sbbadri · ‎08-02-2017

try this

index=firewall earliest=-24h@h latest=-12h@h

please go through below link,

http://docs.splunk.com/Documentation/Splunk/6.6.2/Search/Specifytimemodifiersinyoursearch

View solution in original post

sbbadri · ‎08-02-2017

try this

index=firewall earliest=-24h@h latest=-12h@h

please go through below link,

http://docs.splunk.com/Documentation/Splunk/6.6.2/Search/Specifytimemodifiersinyoursearch

DEAD_BEEF · ‎08-02-2017

Ahhh... I completely overlooked that extra character. I read the documentation but was clearly scanning the syntax too fast. Thank you!

DalJeanis · ‎08-02-2017

I believe you are correct, and the explanation is that -24 means "subtract 24 seconds".

earliest/latest returning zero results

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...