product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to specify a relative date and time range using earliest/latest
- release date
- 2017-10-20
- last updated
- 2017-10-20
- version
- Splunk Enterprise 9.0.4
- Overview
- You can use earliest/latest to specify a relative date and time range in your search statement.
- content
-
Earliest and latest allow you to specify relative date and time ranges in your search statements.
Specifying a date and time range in this search statement takes precedence over specifying it in the time range picker.
Specifying date and time ranges using earliest and latest
If you want to narrow down the date and time range of the events you want to search, you can specify the start date and time with earliest and the end date and time with latest.
There are various ways to specify this earliest and latest , but here is an example of specifying a relative date and time based on the current date and time.
- earliest=-12h
Events in the last 12 hours - latest=-3d
Event more than 3 days ago - earliest=-1w@w latest=-0w@w
Last week's events (Sunday-Saturday) - earliest=-3mon@y+3mon latest=-3mon@y+15mon
Events of this year (4/1-3/31)
This way you can specify a range of dates and times by using earliest and latest.
You can also search for events up to the current time by omitting latest, but you can also explicitly specify latest=now.
Please refer to the next section for the type of date and time unit and "@" (at mark).
Types of date units and how to use them
The types of date and time units that can be used are as follows.
- Year: y
- month: mon
- Week: w
- day: d
- Hour: h
- minute: m
- second: s
For example, to specify 3 days ago, specify -3d, and to specify 4 months ago, specify -4mon. Also, if the number is 1, such as when specifying one week ago, you can omit it like -w.
How to round a datetime range (truncate fractions)
When specifying the date and time, you can round off the specified date and time by using @ (at mark).
If you simply specify -1mon etc., it means that you specified the same time on the same day one month before the execution date, but by using this function you can specify "one month in the last month" etc. will be
For example, if the date and time the search was executed is 9/21 9:37, the time range to be searched is as follows.
- earliest=-1mon
Events after 8/21 9:37 - earliest=-1mon@mon
Events after 8/1 0:00 - earliest=-1mon@d
Events after 8/21 0:00
For example, if you want to specify the end of the last month (August) as the date and time range, specify early=-1mon@mon latest=-0mon@mon.
Also, if you want to round the current time as it is, you can omit the relative date specification like latest=@d.
that's all
- earliest=-12h
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30
