Implementing Splunk 7(Third Edition)
上QQ阅读APP看书,第一时间看更新

Specifying time in-line in your search

You can also directly use relative and exact times in your searches. For instance, given the search item bob error, you can specify the time frame you want to use directly in the search, using the fields Earliest and Latest:

  • To search for errors affecting bob in the last 60 minutes, use earliest=-60m bob error
  • To search for errors affecting bob in the last 3 hours, snap to the beginning of the hour using earliest=-3h@h bob error
  • To search for errors affecting bob yesterday, use earliest=-1d@d latest=-0d@d bob error
  • To search for errors affecting bob since midnight on Monday, use earliest=-0@w1 bob error

You cannot use different time ranges in the same query; for instance, in a Boolean search, (earliest=-1d@d latest=-0d@d bob error) OR (earliest=-2d@d latest=-1d@d mary error) will not work. The append command provides a way of accomplishing this (union will work as well).