Solved: How do I set a timerange to be the last full 7 day...

Peter · ‎03-30-2010

I have a script that populates the previous day's data early in the following morning. How do I set a time range such that I get results from the past 7 full days? Setting "earliest=-7d" still relies on the current time. So if today is Tuesday the 30th, I want to search from midnight last Tuesday to midnight on the 29th.

hulahoop · ‎03-30-2010

Try earliest=-7d@d (snap to the beginning of the day).

View solution in original post

gkanapathy · ‎03-30-2010

You would need to use earliest=-7d@d, but you also need latest=@d to set the end time correctly to the 00:00 today/24:00 yesterday. (I assume that's what you mean by "midnight"; if you meant 00:00 yesterday, then you need latest=-1d@d instead.)

View solution in original post

gkanapathy · ‎03-30-2010

You would need to use earliest=-7d@d, but you also need latest=@d to set the end time correctly to the 00:00 today/24:00 yesterday. (I assume that's what you mean by "midnight"; if you meant 00:00 yesterday, then you need latest=-1d@d instead.)

Johnvey · ‎04-01-2010

The full description of relative time range modifiers is here: http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch#Specify_relative...

hulahoop · ‎03-30-2010

Try earliest=-7d@d (snap to the beginning of the day).

How do I set a timerange to be the last full 7 days?

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!