Splunk Search

How do I set a timerange to be the last full 7 days?

Peter
Path Finder

I have a script that populates the previous day's data early in the following morning. How do I set a time range such that I get results from the past 7 full days? Setting "earliest=-7d" still relies on the current time. So if today is Tuesday the 30th, I want to search from midnight last Tuesday to midnight on the 29th.

Tags (1)
2 Solutions

hulahoop
Splunk Employee
Splunk Employee

Try earliest=-7d@d (snap to the beginning of the day).

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

You would need to use earliest=-7d@d, but you also need latest=@d to set the end time correctly to the 00:00 today/24:00 yesterday. (I assume that's what you mean by "midnight"; if you meant 00:00 yesterday, then you need latest=-1d@d instead.)

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

You would need to use earliest=-7d@d, but you also need latest=@d to set the end time correctly to the 00:00 today/24:00 yesterday. (I assume that's what you mean by "midnight"; if you meant 00:00 yesterday, then you need latest=-1d@d instead.)

Johnvey
Contributor
0 Karma

hulahoop
Splunk Employee
Splunk Employee

Try earliest=-7d@d (snap to the beginning of the day).

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...