Solved: Difference between the time mentioned in the splun...

pavanae · ‎01-26-2018

I have a query as follows

_index_earliest="01/20/2018:00:00:00" _index_latest="01/21/2018:00:00:00" index="ABC"......| stats count by x

And on the right ride of the search bar. I have chosen the date range from timerange picker as below

Now as per the above does the query pulls the results from the time I specified on the query _index_earliest="01/20/2018:00:00:00" _index_latest="01/21/2018:00:00:00" or is it going to pull the results from the timepicker I specified (01/18/2018 and 01/23/2018)

Can someone explain the difference and clarify me on which time frame the query will use?

mayurr98 · ‎01-26-2018

hey

_index_earliest = Specify the earliest _indextime for the time range of your search.
_index_latest = Specify the latest _indextime for the time range of your search.

For example, if you wanted to search for events indexed in the previous hour, use: _index_earliest=-h@h _index_latest=@h
but if you choose date range from timerange picker then it will consider that timerange and within that time range _index_earliest=-h@h _index_latest=@h if this condition satisfies then search will return results.

For example,
consider a case, you have indexed 60 events in last 60 minutes i.e. 1 event per second. So your indextime and timepicker will act same.

case1: _index_earliest &  _index_latest set to last 60 minutes and timepicker set to last 30 minutes. 
Result would be 30 events only

case2: _index_earliest &  _index_latest set to last 60 minutes and timepicker set to last 60 minutes. 
Result would be 60 events 

case3: _index_earliest &  _index_latest set to last 30 minutes and timepicker set to last  60 minutes. 
Result would be 30 events only

For more information have a look at this doc
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/SearchTimeModifiers#_time_an...

let me know if this helps!

View solution in original post

mayurr98 · ‎01-26-2018

hey

_index_earliest = Specify the earliest _indextime for the time range of your search.
_index_latest = Specify the latest _indextime for the time range of your search.

For example, if you wanted to search for events indexed in the previous hour, use: _index_earliest=-h@h _index_latest=@h
but if you choose date range from timerange picker then it will consider that timerange and within that time range _index_earliest=-h@h _index_latest=@h if this condition satisfies then search will return results.

For example,
consider a case, you have indexed 60 events in last 60 minutes i.e. 1 event per second. So your indextime and timepicker will act same.

case1: _index_earliest &  _index_latest set to last 60 minutes and timepicker set to last 30 minutes. 
Result would be 30 events only

case2: _index_earliest &  _index_latest set to last 60 minutes and timepicker set to last 60 minutes. 
Result would be 60 events 

case3: _index_earliest &  _index_latest set to last 30 minutes and timepicker set to last  60 minutes. 
Result would be 30 events only

For more information have a look at this doc
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/SearchTimeModifiers#_time_an...

let me know if this helps!

Difference between the time mentioned in the splunk query and time range picker? which time does my query pulls the results?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor