Refine your search:

Defining search timeframe from midnight to now

0

We have situations where we just want to show what happened "today", which is defined as from Midnight to now. That's easy to say in English, and it's easy to define latest=now, but I am having trouble figuring out what to specify as the 'earliest' value to get Splunk to understand midnight.

asked 17 Feb '11, 15:52

beaumaris's gravatar image

beaumaris
24619
accept rate: 50%

One Answer:
oldestnewestmost voted
2

Midnight is just zero hours, relative to the current day, so you can use:

 earliest=-0h@d

or just:

earliest=@d

You should also have Today available as an option in the TimeRangePicker.

link

answered 17 Feb '11, 16:11

southeringtonp's gravatar image

southeringtonp ♦
4.5k1215
accept rate: 35%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×1,083
×88

Asked: 17 Feb '11, 15:52

Seen: 782 times

Last updated: 17 Feb '11, 16:11

Related questions

Defining a Real time search window

format field at search time (phone, ip, MAC, etc..)

time lost duration format in a join search

search-time extracted field showing no results when used in search

Search help - need sub search to return time and host value for new search

Defining search-peer with configuration only

Entering earliest and latest time for backfill summary search. What is the format?

Limit Search by timeframe

troubleshoot search time field extraction with search pools and mounted knowledge bundles

Copyright © 2005-2012 Splunk, Inc. All rights reserved.