Solved: Latest value to be at midnight yesterday

royimad · ‎09-12-2013

Hello Splunk,

How to precise a value for latest to be equal to midnight yesterday.
Example: Today is 9-12-2013 and i want to get event till the end of day 9-11-2013

What should be the value

royimad · ‎09-23-2013

Hi MuS,

Example 1: search sourcetype=".... earliest=-7d@d latest=@d ( Last Week )
Example 2: search sourcetype=".....earliest=-1d@d latest=@d ( Yesterday )

Simple:@d will truncate data till midnight
This example show last week and yesterday data ending by midnight.

Thanks,

View solution in original post

royimad · ‎09-23-2013

Hi MuS,

Example 1: search sourcetype=".... earliest=-7d@d latest=@d ( Last Week )
Example 2: search sourcetype=".....earliest=-1d@d latest=@d ( Yesterday )

Simple:@d will truncate data till midnight
This example show last week and yesterday data ending by midnight.

Thanks,

HattrickNZ · ‎04-29-2015

will example 1 show mon-sun of last week if run on a wednesday? Or does it have to be run on a monday?

MuS · ‎09-12-2013

Hi royimad

that would be latest=-1d@d to be used in your search.

You can find time modifiers here or in the UI select the time range picker - custom time and in the next screen select Advanced search language and start with your test. The nice thing in the UI is, that the time modifiers like -1d@d gets translated into human readable time.

hope that helps....

cheers, MuS

Latest value to be at midnight yesterday

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!