Solved: How do you set up a time range from 7 pm to 2 pm f...

shaikhussain2 · ‎09-19-2018

We had set up a report which triggers on an hourly basis from 8PM to 2PM (earliest = -1d@d+20h & latest = @d+14h) but we are getting correct reports starting from 12:00 AM only and before that its taking last 24 hours report (9PM, 10PM, 11PM reports).

Thanks,
Shaik Hussain

datasearchninja · ‎09-19-2018

You need to add some hours into the calculation to shift the base hours into the next day when it is somewhere between 8pm -> midnight

So:
earliest=+4h@d-4h
When it is between midnight and 8pm, this will calculate to 8pm yesterday, after 8pm it will be 8pm today

latest=+4h@d+14h
When it is between midnight and 8pm, this will calculate to 2pm today, after 8pm it will be 2pm tommorrow

View solution in original post

datasearchninja · ‎09-19-2018

You need to add some hours into the calculation to shift the base hours into the next day when it is somewhere between 8pm -> midnight

So:
earliest=+4h@d-4h
When it is between midnight and 8pm, this will calculate to 8pm yesterday, after 8pm it will be 8pm today

latest=+4h@d+14h
When it is between midnight and 8pm, this will calculate to 2pm today, after 8pm it will be 2pm tommorrow

shaikhussain2 · ‎09-21-2018

Thanks colin, It is working perfectly now and thanks for elaborating the answer.

How do you set up a time range from 7 pm to 2 pm for a scheduled hourly report?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?